Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
crypted_UClient.exe

Overview

General Information

Sample name:crypted_UClient.exe
Analysis ID:1577565
MD5:c1bfa131bbdef5f2e438d5c8bbaef2ca
SHA1:23c1632a3b7a813c600f62e1db91bc8f5393f92e
SHA256:018a3230583fa89466619a1561b96a5402fea166f0ab3a94e0e0787de2a69843
Tags:18521511316185215113209bulletproofexeRustyStealersigneduser-abus3reports
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • crypted_UClient.exe (PID: 5632 cmdline: "C:\Users\user\Desktop\crypted_UClient.exe" MD5: C1BFA131BBDEF5F2E438D5C8BBAEF2CA)
    • schtasks.exe (PID: 5536 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • UClient.exe (PID: 4784 cmdline: C:\Users\user\AppData\Roaming\UClient.exe MD5: C1BFA131BBDEF5F2E438D5C8BBAEF2CA)
  • UClient.exe (PID: 3268 cmdline: "C:\Users\user\AppData\Roaming\UClient.exe" MD5: C1BFA131BBDEF5F2E438D5C8BBAEF2CA)
  • UClient.exe (PID: 5192 cmdline: "C:\Users\user\AppData\Roaming\UClient.exe" MD5: C1BFA131BBDEF5F2E438D5C8BBAEF2CA)
  • UClient.exe (PID: 6416 cmdline: C:\Users\user\AppData\Roaming\UClient.exe MD5: C1BFA131BBDEF5F2E438D5C8BBAEF2CA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["154.216.18.132"], "Port": 6767, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3506779671.000002A2DA4C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0xa53b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0xdad1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7502:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x759f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x76b4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x733e:$cnc4: POST / HTTP/1.1
    00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0xa53b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    • 0xdad1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.UClient.exe.2a2dbd60000.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
        9.2.UClient.exe.2a2dbd60000.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7502:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x759f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x76b4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x733e:$cnc4: POST / HTTP/1.1
        6.2.UClient.exe.22bb0d80000.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
          6.2.UClient.exe.22bb0d80000.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x7502:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x759f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x76b4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x733e:$cnc4: POST / HTTP/1.1
          9.2.UClient.exe.2a2dbd60000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 23 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\UClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\crypted_UClient.exe, ProcessId: 5632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UClient
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\crypted_UClient.exe, ProcessId: 5632, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UClient.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\crypted_UClient.exe", ParentImage: C:\Users\user\Desktop\crypted_UClient.exe, ParentProcessId: 5632, ParentProcessName: crypted_UClient.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe", ProcessId: 5536, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T15:37:15.186590+010028531931Malware Command and Control Activity Detected192.168.2.650020154.216.18.1326767TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["154.216.18.132"], "Port": 6767, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\UClient.exeReversingLabs: Detection: 21%
            Multi AV Scanner detection for submitted file
            Source: crypted_UClient.exeReversingLabs: Detection: 21%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: 154.216.18.132
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: 6767
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: <123456789>
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: <Xwormmm>
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: U+
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: USB.exe
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: %AppData%
            Source: 6.2.UClient.exe.22bb0d80000.0.unpackString decryptor: UClient.exe
            Source: crypted_UClient.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: Unhook.pdb source: crypted_UClient.exe, UClient.exe.0.dr

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50004 -> 154.216.18.132:6767
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:50020 -> 154.216.18.132:6767
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 154.216.18.132
            Source: global trafficTCP traffic: 192.168.2.6:49840 -> 154.216.18.132:6767
            Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: unknownTCP traffic detected without corresponding DNS query: 154.216.18.132
            Source: crypted_UClient.exe, 00000000.00000002.4588540837.0000025193A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: crypted_UClient.exe, UClient.exe.0.drString found in binary or memory: http://www.oracle.net0

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 9.2.UClient.exe.2a2dbd60000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 10.2.UClient.exe.1a04cedcea0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 6.2.UClient.exe.22bb0d80000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.crypted_UClient.exe.25193910000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 6.2.UClient.exe.22bb0f3ce50.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 10.2.UClient.exe.1a04cbf0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 9.2.UClient.exe.2a2dbffce00.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000009.00000002.3506779671.000002A2DA4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.4588328680.0000025193910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000A.00000002.3588257874.000001A04CED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000A.00000002.3587178647.000001A04CBF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000006.00000002.4191816935.0000022BAF2C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000009.00000002.3506998399.000002A2DBD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000009.00000002.3507284880.000002A2DBFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000A.00000002.3585996257.000001A04B250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8FD660 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,0_2_00007FF79D8FD660
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C6D660 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,6_2_00007FF718C6D660
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8C89B20_2_00007FF79D8C89B2
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8B13F20_2_00007FF79D8B13F2
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8FFED00_2_00007FF79D8FFED0
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8F92D00_2_00007FF79D8F92D0
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8F26F00_2_00007FF79D8F26F0
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D9002500_2_00007FF79D900250
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8FDA400_2_00007FF79D8FDA40
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8C8DB10_2_00007FF79D8C8DB1
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8FF1E90_2_00007FF79D8FF1E9
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8F69E00_2_00007FF79D8F69E0
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D903E100_2_00007FF79D903E10
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8F51200_2_00007FF79D8F5120
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8C8D510_2_00007FF79D8C8D51
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8FB10B0_2_00007FF79D8FB10B
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8F44200_2_00007FF79D8F4420
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D9028400_2_00007FF79D902840
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D9017D90_2_00007FF79D9017D9
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D904B3B0_2_00007FF79D904B3B
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D9067800_2_00007FF79D906780
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_0000025191F6B7E70_2_0000025191F6B7E7
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_0000025191F6BBB70_2_0000025191F6BBB7
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_0000025191F6A8F30_2_0000025191F6A8F3
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_0000025191F6BFEF0_2_0000025191F6BFEF
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_0000025191F6F2E70_2_0000025191F6F2E7
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_0000025191F6CA8F0_2_0000025191F6CA8F
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FFD345F75C20_2_00007FFD345F75C2
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FFD345F68160_2_00007FFD345F6816
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FFD345F15410_2_00007FFD345F1541
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FFD345F19750_2_00007FFD345F1975
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C389B26_2_00007FF718C389B2
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C213F26_2_00007FF718C213F2
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C6F1E96_2_00007FF718C6F1E9
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C669E06_2_00007FF718C669E0
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C73E106_2_00007FF718C73E10
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C651206_2_00007FF718C65120
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C626F06_2_00007FF718C626F0
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C6FED06_2_00007FF718C6FED0
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C692D06_2_00007FF718C692D0
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C702506_2_00007FF718C70250
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C6DA406_2_00007FF718C6DA40
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C717D96_2_00007FF718C717D9
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C767806_2_00007FF718C76780
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C74B3B6_2_00007FF718C74B3B
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C6B10B6_2_00007FF718C6B10B
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C60CCF6_2_00007FF718C60CCF
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C644206_2_00007FF718C64420
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C728406_2_00007FF718C72840
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_0000022BAF2CB7E76_2_0000022BAF2CB7E7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_0000022BAF2CBBB76_2_0000022BAF2CBBB7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_0000022BAF2CBFEF6_2_0000022BAF2CBFEF
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_0000022BAF2CF2E76_2_0000022BAF2CF2E7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_0000022BAF2CCA8F6_2_0000022BAF2CCA8F
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_0000022BAF2CA8F36_2_0000022BAF2CA8F3
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FFD34620ADD6_2_00007FFD34620ADD
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FFD346215416_2_00007FFD34621541
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FFD34620D9D6_2_00007FFD34620D9D
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_000002A2DA4CBBB79_2_000002A2DA4CBBB7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_000002A2DA4CB7E79_2_000002A2DA4CB7E7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_000002A2DA4CCA8F9_2_000002A2DA4CCA8F
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_000002A2DA4CBFEF9_2_000002A2DA4CBFEF
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_000002A2DA4CF2E79_2_000002A2DA4CF2E7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_000002A2DA4CA8F39_2_000002A2DA4CA8F3
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_00007FFD34610ADD9_2_00007FFD34610ADD
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_00007FFD34610D9D9_2_00007FFD34610D9D
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_00007FFD346115419_2_00007FFD34611541
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_000001A04B25BBB710_2_000001A04B25BBB7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_000001A04B25B7E710_2_000001A04B25B7E7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_000001A04B25F2E710_2_000001A04B25F2E7
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_000001A04B25BFEF10_2_000001A04B25BFEF
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_000001A04B25A8F310_2_000001A04B25A8F3
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_000001A04B25CA8F10_2_000001A04B25CA8F
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_00007FFD34610ADD10_2_00007FFD34610ADD
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_00007FFD34610D9D10_2_00007FFD34610D9D
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_00007FFD3461154110_2_00007FFD34611541
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: String function: 00007FF718C62D50 appears 59 times
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: String function: 00007FF79D8F2D50 appears 59 times
            Source: crypted_UClient.exeStatic PE information: invalid certificate
            Source: crypted_UClient.exe, 00000000.00000002.4588328680.0000025193910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUClient.exe4 vs crypted_UClient.exe
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 9.2.UClient.exe.2a2dbd60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 10.2.UClient.exe.1a04cedcea0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 6.2.UClient.exe.22bb0d80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.crypted_UClient.exe.25193910000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 6.2.UClient.exe.22bb0f3ce50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 10.2.UClient.exe.1a04cbf0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 9.2.UClient.exe.2a2dbffce00.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000009.00000002.3506779671.000002A2DA4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.4588328680.0000025193910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000A.00000002.3588257874.000001A04CED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000A.00000002.3587178647.000001A04CBF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000006.00000002.4191816935.0000022BAF2C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000009.00000002.3506998399.000002A2DBD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000009.00000002.3507284880.000002A2DBFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000A.00000002.3585996257.000001A04B250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/3@0/1
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D9017D9 memset,GetModuleHandleW,FormatMessageW,memcpy,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00007FF79D9017D9
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile created: C:\Users\user\AppData\Roaming\UClient.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\UClient.exeMutant created: NULL
            Source: C:\Users\user\Desktop\crypted_UClient.exeMutant created: \Sessions\1\BaseNamedObjects\3W3L0vd01kmwQ276
            Source: crypted_UClient.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: crypted_UClient.exeReversingLabs: Detection: 21%
            Source: crypted_UClient.exeString found in binary or memory: 99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a-7a7a-7487-287e-44654343333880b61dbf-ffff-2c17-a1e1-ddde94214cdf9eb5a284-96dd-d9c6-a076-65cbc7c5c539a6000406
            Source: crypted_UClient.exeString found in binary or memory: 28f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a-7a7a-7487-287e-44654343333880b61dbf
            Source: crypted_UClient.exeString found in binary or memory: 369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a
            Source: crypted_UClient.exeString found in binary or memory: 8480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a-7a7a-7487-287e-44654343333880b61dbf-ffff-2c17-a1e1-ddde94214cdf9eb5a284
            Source: crypted_UClient.exeString found in binary or memory: 02fea35c-b8c1-2373-c632-2457da39c69d5fdd8665-bd7d-e857-197a-9e41ad3b9a3cb1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e
            Source: crypted_UClient.exeString found in binary or memory: a00fa3aa-8e4c-f699-b682-066eb2e6f09102fea35c-b8c1-2373-c632-2457da39c69d5fdd8665-bd7d-e857-197a-9e41ad3b9a3cb1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51
            Source: crypted_UClient.exeString found in binary or memory: b1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6
            Source: crypted_UClient.exeString found in binary or memory: 5fdd8665-bd7d-e857-197a-9e41ad3b9a3cb1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d
            Source: crypted_UClient.exeString found in binary or memory: 7d3f600b-f0ad-9698-6b31-650e6a4eb4f9702deedc-2728-546e-8efa-8aac4c21ad19e49521de-1890-898d-ad06-d19e1e1fec42369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94
            Source: crypted_UClient.exeString found in binary or memory: e49521de-1890-898d-ad06-d19e1e1fec42369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2
            Source: crypted_UClient.exeString found in binary or memory: 702deedc-2728-546e-8efa-8aac4c21ad19e49521de-1890-898d-ad06-d19e1e1fec42369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9
            Source: crypted_UClient.exeString found in binary or memory: e3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819-dfc9-632f-ec71-a1499be445da9a06fb2e-9b94-4416-6d68-4be83d37fd95bce45056
            Source: crypted_UClient.exeString found in binary or memory: eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819-dfc9-632f-ec71-a1499be445da9a06fb2e
            Source: crypted_UClient.exeString found in binary or memory: 2995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819-dfc9-632f-ec71-a1499be445da9a06fb2e-9b94-4416-6d68-4be83d37fd95bce45056-bc87-fee3-d996-621403eda3dcebb0dc13
            Source: crypted_UClient.exeString found in binary or memory: e8ff86e0-5156-3f4f-e92e-fd513fa9135000a02fcb-440b-be59-e318-f34926f505a4fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9
            Source: crypted_UClient.exeString found in binary or memory: 67a578f8-f775-04d0-e2e9-e030f8c95078e8ff86e0-5156-3f4f-e92e-fd513fa9135000a02fcb-440b-be59-e318-f34926f505a4fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f
            Source: crypted_UClient.exeString found in binary or memory: fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819
            Source: crypted_UClient.exeString found in binary or memory: 00a02fcb-440b-be59-e318-f34926f505a4fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6
            Source: crypted_UClient.exeString found in binary or memory: c191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6-8555-ab79-e55e-e1fbd901150b8e904dd6
            Source: crypted_UClient.exeString found in binary or memory: 153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6-8555-ab79-e55e-e1fbd901150b8e904dd6-395f-4d47-0ce5-5e16fe33562f12e32730-ac11-da65-5dc5-a30e65872d3e91d82397
            Source: crypted_UClient.exeString found in binary or memory: eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6-8555-ab79-e55e-e1fbd901150b8e904dd6-395f-4d47-0ce5-5e16fe33562f12e32730
            Source: crypted_UClient.exeString found in binary or memory: 7825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225-33a1-e76c-b8f9-043b1036ffaefaf2e597-ce37-0566-d4b6-1fbddb4dc87b96565fc9
            Source: crypted_UClient.exeString found in binary or memory: b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225-33a1-e76c-b8f9-043b1036ffaefaf2e597
            Source: crypted_UClient.exeString found in binary or memory: dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225-33a1-e76c-b8f9-043b1036ffaefaf2e597-ce37-0566-d4b6-1fbddb4dc87b96565fc9-935e-9737-c22f-5bb933437552f34a132a
            Source: crypted_UClient.exeString found in binary or memory: 47090664-c14a-2e79-42bf-0ee736cad4b8ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c
            Source: crypted_UClient.exeString found in binary or memory: 2c6dbac6-71c2-d06d-fe6a-558eae0d2e2247090664-c14a-2e79-42bf-0ee736cad4b8ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85
            Source: crypted_UClient.exeString found in binary or memory: ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225
            Source: crypted_UClient.exeString found in binary or memory: 7a5e5063-f393-b19a-2dbd-5c82ef0b6f6e2c6dbac6-71c2-d06d-fe6a-558eae0d2e2247090664-c14a-2e79-42bf-0ee736cad4b8ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086
            Source: crypted_UClient.exeString found in binary or memory: 730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac-49ee-cd65-3b42-68d4cf27c1bdd66c0441-eaa8-117b-0017-7bc39279b5bf6bff294c-b0f9-4357-92b6-3f41eda237716e6e8cfb
            Source: crypted_UClient.exeString found in binary or memory: b008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac-49ee-cd65-3b42-68d4cf27c1bdd66c0441
            Source: crypted_UClient.exeString found in binary or memory: 5afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac
            Source: crypted_UClient.exeString found in binary or memory: 77112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac-49ee-cd65-3b42-68d4cf27c1bdd66c0441-eaa8-117b-0017-7bc39279b5bf6bff294c
            Source: crypted_UClient.exeString found in binary or memory: 1d678494-218c-e95b-061e-64b6e7f1fc295b70302f-4174-691a-22d8-5a0faf458bcb1c2a7a2e-ccf6-33b2-6430-ffbdc8bdf4f45afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d
            Source: crypted_UClient.exeString found in binary or memory: 1c2a7a2e-ccf6-33b2-6430-ffbdc8bdf4f45afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6
            Source: crypted_UClient.exeString found in binary or memory: 5b70302f-4174-691a-22d8-5a0faf458bcb1c2a7a2e-ccf6-33b2-6430-ffbdc8bdf4f45afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e
            Source: UClient.exeString found in binary or memory: 5fdd8665-bd7d-e857-197a-9e41ad3b9a3cb1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d
            Source: UClient.exeString found in binary or memory: b1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6
            Source: UClient.exeString found in binary or memory: a00fa3aa-8e4c-f699-b682-066eb2e6f09102fea35c-b8c1-2373-c632-2457da39c69d5fdd8665-bd7d-e857-197a-9e41ad3b9a3cb1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51
            Source: UClient.exeString found in binary or memory: 02fea35c-b8c1-2373-c632-2457da39c69d5fdd8665-bd7d-e857-197a-9e41ad3b9a3cb1940f2e-88c2-1acc-99f7-8d5b188a79bac191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e
            Source: UClient.exeString found in binary or memory: 00a02fcb-440b-be59-e318-f34926f505a4fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6
            Source: UClient.exeString found in binary or memory: fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819
            Source: UClient.exeString found in binary or memory: 67a578f8-f775-04d0-e2e9-e030f8c95078e8ff86e0-5156-3f4f-e92e-fd513fa9135000a02fcb-440b-be59-e318-f34926f505a4fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f
            Source: UClient.exeString found in binary or memory: e8ff86e0-5156-3f4f-e92e-fd513fa9135000a02fcb-440b-be59-e318-f34926f505a4fc4d6755-0c9e-7727-0565-c1c6d3b87551eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9
            Source: UClient.exeString found in binary or memory: eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6-8555-ab79-e55e-e1fbd901150b8e904dd6-395f-4d47-0ce5-5e16fe33562f12e32730
            Source: UClient.exeString found in binary or memory: 153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6-8555-ab79-e55e-e1fbd901150b8e904dd6-395f-4d47-0ce5-5e16fe33562f12e32730-ac11-da65-5dc5-a30e65872d3e91d82397
            Source: UClient.exeString found in binary or memory: c191d91f-bcbd-18fe-2b1e-b4300cf2de53eca72761-7dce-71fe-e2e5-e6321e43b0ae153f6b7a-4335-95dd-2eb3-add2081a797f95a52c51-e8a1-4a62-fa0e-2118f0b2c76a037d9c1e-eb9f-f544-b4d6-96aff80e58da3335323d-f603-6a28-8a62-44fc40d14bc7459ed8d6-8555-ab79-e55e-e1fbd901150b8e904dd6
            Source: UClient.exeString found in binary or memory: 702deedc-2728-546e-8efa-8aac4c21ad19e49521de-1890-898d-ad06-d19e1e1fec42369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9
            Source: UClient.exeString found in binary or memory: e49521de-1890-898d-ad06-d19e1e1fec42369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2
            Source: UClient.exeString found in binary or memory: 7d3f600b-f0ad-9698-6b31-650e6a4eb4f9702deedc-2728-546e-8efa-8aac4c21ad19e49521de-1890-898d-ad06-d19e1e1fec42369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94
            Source: UClient.exeString found in binary or memory: 2995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819-dfc9-632f-ec71-a1499be445da9a06fb2e-9b94-4416-6d68-4be83d37fd95bce45056-bc87-fee3-d996-621403eda3dcebb0dc13
            Source: UClient.exeString found in binary or memory: eb8165e9-847d-9947-ecec-2dc99cdb679ee3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819-dfc9-632f-ec71-a1499be445da9a06fb2e
            Source: UClient.exeString found in binary or memory: e3e96233-bc5c-ee00-0cfb-8953a0a259e22995313d-addc-cddc-6f23-154184c982f1eb4eb91f-9f31-d2d2-c37f-0b2c544e4778292987a9-bc29-cc09-36d0-3bbef18a069e803b30f6-72dc-81a7-b129-2ff2df6b9140fca72819-dfc9-632f-ec71-a1499be445da9a06fb2e-9b94-4416-6d68-4be83d37fd95bce45056
            Source: UClient.exeString found in binary or memory: 99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a-7a7a-7487-287e-44654343333880b61dbf-ffff-2c17-a1e1-ddde94214cdf9eb5a284-96dd-d9c6-a076-65cbc7c5c539a6000406
            Source: UClient.exeString found in binary or memory: 8480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a-7a7a-7487-287e-44654343333880b61dbf-ffff-2c17-a1e1-ddde94214cdf9eb5a284
            Source: UClient.exeString found in binary or memory: 369d5a45-8c15-4dc7-c578-fcbca63170e028f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a
            Source: UClient.exeString found in binary or memory: 28f0fcda-5b61-592c-9026-d9982ecd0f858480be0b-d4a3-1d02-f14f-31985566bacb99c08c54-5656-50fb-0e46-add1f50d0f0fefdafd94-dfd2-d32d-1113-130b047c9696966857d9-09f6-70a6-159b-171717e7d452dadadad2-7412-072f-2f2f-54aaa1454932b1beba7a-7a7a-7487-287e-44654343333880b61dbf
            Source: UClient.exeString found in binary or memory: dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225-33a1-e76c-b8f9-043b1036ffaefaf2e597-ce37-0566-d4b6-1fbddb4dc87b96565fc9-935e-9737-c22f-5bb933437552f34a132a
            Source: UClient.exeString found in binary or memory: b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225-33a1-e76c-b8f9-043b1036ffaefaf2e597
            Source: UClient.exeString found in binary or memory: 7825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225-33a1-e76c-b8f9-043b1036ffaefaf2e597-ce37-0566-d4b6-1fbddb4dc87b96565fc9
            Source: UClient.exeString found in binary or memory: ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c-4586-87ef-7172-035fdc579abe381b1225
            Source: UClient.exeString found in binary or memory: 2c6dbac6-71c2-d06d-fe6a-558eae0d2e2247090664-c14a-2e79-42bf-0ee736cad4b8ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85
            Source: UClient.exeString found in binary or memory: 47090664-c14a-2e79-42bf-0ee736cad4b8ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086-7ff9-c84a-f1af-d56f1b51d6f6108dcf85-e75d-1dd8-f41a-f3c85b06ec039046f88c
            Source: UClient.exeString found in binary or memory: 7a5e5063-f393-b19a-2dbd-5c82ef0b6f6e2c6dbac6-71c2-d06d-fe6a-558eae0d2e2247090664-c14a-2e79-42bf-0ee736cad4b8ef479d19-6c27-c092-597b-abee959d0010b267174e-bcce-cfaa-75d3-8856420b31577825e662-380c-a863-a9b3-507b8f33f656dd096d72-1358-0770-b703-add16eba4f850db76086
            Source: UClient.exeString found in binary or memory: 77112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac-49ee-cd65-3b42-68d4cf27c1bdd66c0441-eaa8-117b-0017-7bc39279b5bf6bff294c
            Source: UClient.exeString found in binary or memory: 5afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac
            Source: UClient.exeString found in binary or memory: b008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac-49ee-cd65-3b42-68d4cf27c1bdd66c0441
            Source: UClient.exeString found in binary or memory: 5b70302f-4174-691a-22d8-5a0faf458bcb1c2a7a2e-ccf6-33b2-6430-ffbdc8bdf4f45afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e
            Source: UClient.exeString found in binary or memory: 1c2a7a2e-ccf6-33b2-6430-ffbdc8bdf4f45afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6
            Source: UClient.exeString found in binary or memory: 1d678494-218c-e95b-061e-64b6e7f1fc295b70302f-4174-691a-22d8-5a0faf458bcb1c2a7a2e-ccf6-33b2-6430-ffbdc8bdf4f45afad34f-7c70-de74-f449-65c76a3ae13cb008d387-7141-47f4-915c-8e240e359a4177112d28-1aca-17d3-ee1c-762803433e34730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d
            Source: UClient.exeString found in binary or memory: 730a9689-149d-f43b-add7-d5cbc81ae4bddcd5491d-5aad-8026-916f-fc6f6a36014dc449de6e-486d-2e08-982e-5d222828cc7ca24e52c6-3e06-13df-2f4d-d78a45408f99c01bfdac-49ee-cd65-3b42-68d4cf27c1bdd66c0441-eaa8-117b-0017-7bc39279b5bf6bff294c-b0f9-4357-92b6-3f41eda237716e6e8cfb
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile read: C:\Users\user\Desktop\crypted_UClient.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\crypted_UClient.exe "C:\Users\user\Desktop\crypted_UClient.exe"
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\UClient.exe C:\Users\user\AppData\Roaming\UClient.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\UClient.exe "C:\Users\user\AppData\Roaming\UClient.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\UClient.exe "C:\Users\user\AppData\Roaming\UClient.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\UClient.exe C:\Users\user\AppData\Roaming\UClient.exe
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe"Jump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: UClient.lnk.0.drLNK file: ..\..\..\..\..\UClient.exe
            Source: crypted_UClient.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: crypted_UClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: crypted_UClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: crypted_UClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: crypted_UClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: crypted_UClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: crypted_UClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: crypted_UClient.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: crypted_UClient.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: Unhook.pdb source: crypted_UClient.exe, UClient.exe.0.dr
            Source: crypted_UClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: crypted_UClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: crypted_UClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: crypted_UClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: crypted_UClient.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8B13F2 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualProtect,GetProcessHeap,HeapFree,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WakeByAddressSingle,GetLastError,GetLastError,0_2_00007FF79D8B13F2
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_0000025191F6016D push ss; iretd 0_2_0000025191F6016E
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_0000022BAF2C016D push ss; iretd 6_2_0000022BAF2C016E
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 9_2_000002A2DA4C016D push ss; iretd 9_2_000002A2DA4C016E
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 10_2_000001A04B25016D push ss; iretd 10_2_000001A04B25016E
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile created: C:\Users\user\AppData\Roaming\UClient.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe"
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UClient.lnkJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UClient.lnkJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UClientJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UClientJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D902840 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,GetProcessHeap,HeapFree,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00007FF79D902840
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\crypted_UClient.exeMemory allocated: 251938E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeMemory allocated: 251ABA40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeMemory allocated: 22BB0C30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeMemory allocated: 22BC8F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeMemory allocated: 2A2DBD30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeMemory allocated: 2A2F3FF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeMemory allocated: 1A04CBC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeMemory allocated: 1A064ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeWindow / User API: threadDelayed 8193Jump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeWindow / User API: threadDelayed 1644Jump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exe TID: 3204Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exe TID: 5372Thread sleep count: 8193 > 30Jump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exe TID: 5372Thread sleep count: 1644 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exe TID: 3924Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exe TID: 6076Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exe TID: 5820Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: crypted_UClient.exe, 00000000.00000002.4592984617.00000251AC25B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWic%SystemRoot%\system32\mswsock.dll </providers>
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D907244 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79D907244
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8B13F2 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualProtect,GetProcessHeap,HeapFree,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WakeByAddressSingle,GetLastError,GetLastError,0_2_00007FF79D8B13F2
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D8C89B2 GetProcessHeap,RtlFreeHeap,memcmp,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,memcpy,GetProcessHeap,HeapFree,VirtualAlloc,VirtualProtect,VirtualProtect,WriteProcessMemory,EnumCalendarInfoA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00007FF79D8C89B2
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\UClient.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D907244 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79D907244
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D9073E8 SetUnhandledExceptionFilter,0_2_00007FF79D9073E8
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C77244 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FF718C77244
            Source: C:\Users\user\AppData\Roaming\UClient.exeCode function: 6_2_00007FF718C773E8 SetUnhandledExceptionFilter,6_2_00007FF718C773E8
            Source: C:\Users\user\Desktop\crypted_UClient.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe"Jump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\crypted_UClient.exeCode function: 0_2_00007FF79D90711C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF79D90711C
            Source: C:\Users\user\Desktop\crypted_UClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: crypted_UClient.exe, 00000000.00000002.4587792125.0000025192086000.00000004.00000020.00020000.00000000.sdmp, crypted_UClient.exe, 00000000.00000002.4592984617.00000251AC25B000.00000004.00000020.00020000.00000000.sdmp, crypted_UClient.exe, 00000000.00000002.4592984617.00000251AC216000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\crypted_UClient.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbd60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cedcea0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0d80000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.crypted_UClient.exe.25193910000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0f3ce50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cbf0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbffce00.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4588328680.0000025193910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3588257874.000001A04CED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3587178647.000001A04CBF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3506998399.000002A2DBD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3507284880.000002A2DBFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: crypted_UClient.exe PID: 5632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UClient.exe PID: 4784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UClient.exe PID: 3268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UClient.exe PID: 5192, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbd60000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0d80000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbd60000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cedcea0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cedcea0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0d80000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cbf0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.crypted_UClient.exe.25193910000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbffce00.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0f3ce50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.UClient.exe.1a04cbf0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.UClient.exe.22bb0f3ce50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.crypted_UClient.exe.25193910000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.UClient.exe.2a2dbffce00.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4588328680.0000025193910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3588257874.000001A04CED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3587178647.000001A04CBF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3506998399.000002A2DBD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3507284880.000002A2DBFF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: crypted_UClient.exe PID: 5632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UClient.exe PID: 4784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UClient.exe PID: 3268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UClient.exe PID: 5192, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory241
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Native API            		Login Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials14
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            crypted_UClient.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\UClient.exe21%ReversingLabsByteCode-MSIL.Trojan.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            154.216.18.1320%Avira URL Cloudsafe
            http://www.oracle.net00%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            154.216.18.132true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.oracle.net0crypted_UClient.exe, UClient.exe.0.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecrypted_UClient.exe, 00000000.00000002.4588540837.0000025193A41000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              154.216.18.132
              		unknownSeychelles
              		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1577565
              Start date and time:2024-12-18 15:32:23 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 33s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:12
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:crypted_UClient.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@8/3@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 75
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: crypted_UClient.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:34:16API Interceptor6512408x Sleep call for process: crypted_UClient.exe modified
              15:34:18Task SchedulerRun new task: UClient path: C:\Users\user\AppData\Roaming\UClient.exe
              15:34:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UClient C:\Users\user\AppData\Roaming\UClient.exe
              15:34:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UClient C:\Users\user\AppData\Roaming\UClient.exe
              15:34:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UClient.lnk

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              154.216.18.132RMX.exeGet hashmaliciousRemcosBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                SKHT-ASShenzhenKatherineHengTechnologyInformationCo22TxDBB1.batGet hashmaliciousUnknownBrowse
                • 154.216.17.110
                Arrival Notice.exeGet hashmaliciousRemcosBrowse
                • 154.216.17.190
                jew.ppc.elfGet hashmaliciousUnknownBrowse
                • 156.230.19.169
                http://kmaybelsrka.sbs:6793/bab.zipGet hashmaliciousUnknownBrowse
                • 154.216.17.175
                https://garfieldthecat.tech/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                • 154.216.17.175
                Sublabially.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 154.216.18.216
                ZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                • 154.216.20.243
                RUN.VBS.vbsGet hashmaliciousUnknownBrowse
                • 154.216.18.89
                arm4.elfGet hashmaliciousMiraiBrowse
                • 156.230.19.168
                h.htmlGet hashmaliciousUnknownBrowse
                • 154.216.18.69

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UClient.exe.log

                Download File
                Process:C:\Users\user\AppData\Roaming\UClient.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):654
                Entropy (8bit):5.380476433908377
                Encrypted:false
                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UClient.lnk

                Download File
                Process:C:\Users\user\Desktop\crypted_UClient.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 18 13:34:14 2024, mtime=Wed Dec 18 13:34:14 2024, atime=Wed Dec 18 13:34:14 2024, length=543144, window=hide
                Category:dropped
                Size (bytes):767
                Entropy (8bit):5.073490850007125
                Encrypted:false
                SSDEEP:12:81M24qypnu8ChmRLll2lXIsY//YXaLXIXjAe+HFqj1b1bmV:81WTDdL+lXUokYzAeZpbxm
                MD5:756F9F9CDE6FF9CFBBD5C360871D9592
                SHA1:12E50E70D8ACC6BF8FC94A9FFA8B49BEA830EE46
                SHA-256:BD8C74FB5AA65A29AF6B3506673A337D4B7D64BB84B375F245888D482DFDA4BB
                SHA-512:20F004CA01E193E6DA2994B36DE214EB6AD9CF0B2A2B76E33A6913B73F2F10B9DBB40A9EF76829D81C83FD08DBFCB5CB4714F53A370C0EE0E25D6637D1A437D4
                Malicious:false
                Reputation:low
                Preview:L..................F.... ...@.x.YQ..@.x.YQ..@.x.YQ...I......................v.:..DG..Yr?.D..U..k0.&...&.......$..S.....x.YQ....w.YQ......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y't...........................^.A.p.p.D.a.t.a...B.V.1......Y$t..Roaming.@......EW<2.Y$t..../.....................bF%.R.o.a.m.i.n.g.....b.2..I...YHt .UClient.exe.H......YHt.YHt..............................U.C.l.i.e.n.t...e.x.e.......\...............-.......[...........z!.=.....C:\Users\user\AppData\Roaming\UClient.exe........\.....\.....\.....\.....\.U.C.l.i.e.n.t...e.x.e.`.......X.......830021...........hT..CrF.f4... ...!M....-...-$..hT..CrF.f4... ...!M....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                C:\Users\user\AppData\Roaming\UClient.exe

                Download File
                Process:C:\Users\user\Desktop\crypted_UClient.exe
                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                Category:dropped
                Size (bytes):543144
                Entropy (8bit):5.982481344403472
                Encrypted:false
                SSDEEP:12288:8MMXYaLZ9hiNb1zg/omm0CyYofToRqM5b:8MMoaLZ9INJzComyyY8ToYE
                MD5:C1BFA131BBDEF5F2E438D5C8BBAEF2CA
                SHA1:23C1632A3B7A813C600F62E1DB91BC8F5393F92E
                SHA-256:018A3230583FA89466619A1561B96A5402FEA166F0AB3A94E0E0787DE2A69843
                SHA-512:71B8167276694799C1B9889CEDE47C99DEE01327B4A90B754ED153F497040E7F021DEFBE2AC40C3D7D24AAD9145EA12F90F451E2285B07D27BF30962EDCA335C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 21%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s."X..qX..qX..qQj0qR..qI..pZ..qI..p[..qI..pQ..qI..pN..qX..q...qX..qT..q..pY..qRichX..q........................PE..d....g`g.........."....*.z..........0n.........@.........................................`.................................................<........P.......@.......D.......p..(.......T.......................(.......@............................................text....y.......z.................. ..`.rdata..R............~..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........P.......*..............@..@.reloc..(....p.......@..............@..B................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64, for MS Windows
                Entropy (8bit):5.982481344403472
                TrID:
                • Win64 Executable GUI (202006/5) 92.65%
                • Win64 Executable (generic) (12005/4) 5.51%
                • Generic Win/DOS Executable (2004/3) 0.92%
                • DOS Executable Generic (2002/1) 0.92%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:crypted_UClient.exe
                File size:543'144 bytes
                MD5:c1bfa131bbdef5f2e438d5c8bbaef2ca
                SHA1:23c1632a3b7a813c600f62e1db91bc8f5393f92e
                SHA256:018a3230583fa89466619a1561b96a5402fea166f0ab3a94e0e0787de2a69843
                SHA512:71b8167276694799c1b9889cede47c99dee01327b4a90b754ed153f497040e7f021defbe2ac40c3d7d24aad9145ea12f90f451e2285b07d27bf30962edca335c
                SSDEEP:12288:8MMXYaLZ9hiNb1zg/omm0CyYofToRqM5b:8MMoaLZ9INJzComyyY8ToYE
                TLSH:09C42827F2400453C96DD079C70E11A7432EFAFB0712FBBAB16552613EA2E6C6E2D395
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s."X..qX..qX..qQj0qR..qI..pZ..qI..p[..qI..pQ..qI..pN..qX..q...qX..qT..q...pY..qRichX..q........................PE..d....g`g...

                File Icon

                Icon Hash:e9d266251b25d473

                Static PE Info

                General

                Entrypoint:0x140056e30
                Entrypoint Section:.text
                Digitally signed:true
                Imagebase:0x140000000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x6760679D [Mon Dec 16 17:47:09 2024 UTC]
                TLS Callbacks:0x4004e470, 0x1
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:a8e772fb4810a3d8507cc8f937a90eab

                Authenticode Signature

                Signature Valid:false
                Signature Issuer:CN=Oracle Corporation
                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                Error Number:-2146762487
                Not Before, Not After
                • 16/12/2024 18:47:13 16/03/2025 18:47:13
                Subject Chain
                • CN=Oracle Corporation
                Version:3
                Thumbprint MD5:C7920E2A1E74DCE62F9A2F3D8C28D792
                Thumbprint SHA-1:5806A1DCF4D287570843AD18CA00CBEA9EECA47E
                Thumbprint SHA-256:C940D371C9C30E1036E59133AC60D834A758CE8653777CDA115926655EDF9737
                Serial:00BBB9EB2F158018FC459BB0E55AF457

                Entrypoint Preview

                Instruction
                dec eax
                sub esp, 28h
                call 00007F9208B297E8h
                dec eax
                add esp, 28h
                jmp 00007F9208B29377h
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                nop word ptr [eax+eax+00000000h]
                dec eax
                sub esp, 10h
                dec esp
                mov dword ptr [esp], edx
                dec esp
                mov dword ptr [esp+08h], ebx
                dec ebp
                xor ebx, ebx
                dec esp
                lea edx, dword ptr [esp+18h]
                dec esp
                sub edx, eax
                dec ebp
                cmovb edx, ebx
                dec esp
                mov ebx, dword ptr [00000010h]
                dec ebp
                cmp edx, ebx
                jnc 00007F9208B29518h
                inc cx
                and edx, 8D4DF000h
                wait
                add al, dh

                Rich Headers

                Programming Language:
                • [IMP] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x81e3c0xdc.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x850000x15ac.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x840000xfcc.pdata
                IMAGE_DIRECTORY_ENTRY_SECURITY0x844000x5a8.pdata
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x870000x328.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x7f8c00x54.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x7f9800x28.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x7f7800x140.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x590000x2e8.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x579e60x57a0018d460025cbc00b62e1424bda2adfa55False0.3762621478245364data5.599603254209463IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x590000x299520x29a003c19be7509167c57297560acd143d5efFalse0.5468867304804805data4.933389142769402IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x830000x2e00x200c0ea16c9dd291d996228ca9b1c0bf7d9False0.208984375Matlab v4 mat-file (little endian) , text, rows 0, columns 01.5570059233000273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .pdata0x840000xfcc0x10009842561b1e7ccfa08ce163ad7d91be4eFalse0.49853515625data5.325946826058646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x850000x15ac0x1600267941f788229ea51a52351cd560b75aFalse0.3918678977272727data3.7249803112951874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x870000x3280x400c0a5ccd8c6475c101cfa965f9cd195a3False0.5546875data4.794919331963851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x850e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.38625703564727953
                RT_GROUP_ICON0x861900x14dataEnglishUnited States1.1
                RT_VERSION0x861a40x408dataEnglishUnited States0.437984496124031

                Imports

                DLLImport
                api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                kernel32.dllAddVectoredExceptionHandler, GetLastError, VirtualProtect, VirtualAlloc, SetThreadStackGuarantee, HeapReAlloc, HeapFree, GetProcessHeap, GetCurrentThread, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, LoadLibraryExA, IsDebuggerPresent, UnhandledExceptionFilter, GetEnvironmentVariableW, WideCharToMultiByte, RtlVirtualUnwind, ReleaseMutex, CreateMutexA, GetCurrentProcessId, GetCurrentProcess, WaitForSingleObjectEx, RtlLookupFunctionEntry, RtlCaptureContext, GetCurrentDirectoryW, GetConsoleMode, HeapAlloc, FormatMessageW, GetModuleHandleW, lstrlenW, SetLastError, GetModuleHandleA, WriteConsoleW, MultiByteToWideChar, GetStdHandle, CloseHandle, SetUnhandledExceptionFilter, LoadLibraryA, WaitForSingleObject, GetProcAddress, QueryPerformanceCounter, IsProcessorFeaturePresent
                ntdll.dllNtWriteFile, RtlNtStatusToDosError
                oleaut32.dllSysFreeString, SysStringLen
                VCRUNTIME140.dll_CxxThrowException, memcpy, __CxxFrameHandler3, memset, __current_exception_context, __current_exception, __C_specific_handler, memmove, memcmp
                api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, terminate, _register_onexit_function, _initialize_onexit_table, _set_app_type, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___argv, __p___argc, _configure_narrow_argv, _exit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _seh_filter_exe
                api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, free

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-12-18T15:35:55.609660+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.650004154.216.18.1326767TCP
                2024-12-18T15:37:15.186590+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.650020154.216.18.1326767TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 18, 2024 15:34:18.377679110 CET498406767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:18.497420073 CET676749840154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:18.497517109 CET498406767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:18.951984882 CET498406767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:19.071897984 CET676749840154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:20.725959063 CET676749840154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:20.726190090 CET498406767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:23.451023102 CET498406767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:23.522866964 CET498546767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:23.570698977 CET676749840154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:23.642718077 CET676749854154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:23.643019915 CET498546767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:23.772650957 CET498546767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:23.921797991 CET676749854154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:25.865477085 CET676749854154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:25.865561962 CET498546767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:27.932538986 CET498546767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:27.933437109 CET498666767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:28.052208900 CET676749854154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:28.053088903 CET676749866154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:28.053236961 CET498666767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:28.104224920 CET498666767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:28.224098921 CET676749866154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:30.288136959 CET676749866154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:30.289166927 CET498666767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:32.307537079 CET498666767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:32.309509993 CET498776767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:32.427148104 CET676749866154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:32.429227114 CET676749877154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:32.429361105 CET498776767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:32.446204901 CET498776767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:32.566168070 CET676749877154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:34.663634062 CET676749877154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:34.663707018 CET498776767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:36.479621887 CET498776767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:36.480601072 CET498866767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:36.599749088 CET676749877154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:36.600433111 CET676749886154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:36.600588083 CET498866767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:36.681471109 CET498866767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:36.801232100 CET676749886154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:38.874389887 CET676749886154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:38.874458075 CET498866767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:40.180221081 CET498866767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:40.181632042 CET498926767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:40.299777031 CET676749886154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:40.301110983 CET676749892154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:40.301187992 CET498926767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:40.577064037 CET498926767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:40.696876049 CET676749892154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:42.539823055 CET676749892154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:42.539889097 CET498926767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:43.698488951 CET498926767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:43.699948072 CET499036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:43.817954063 CET676749892154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:43.819416046 CET676749903154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:43.819482088 CET499036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:44.074517965 CET499036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:44.194636106 CET676749903154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:46.039170980 CET676749903154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:46.039236069 CET499036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:49.260852098 CET499036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:49.261755943 CET499146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:49.380460978 CET676749903154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:49.381350994 CET676749914154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:49.381449938 CET499146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:49.574949026 CET499146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:49.694952011 CET676749914154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:51.664756060 CET676749914154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:51.664835930 CET499146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:53.449863911 CET499146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:53.451450109 CET499236767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:53.569478989 CET676749914154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:53.571187973 CET676749923154.216.18.132192.168.2.6
                Dec 18, 2024 15:34:53.571291924 CET499236767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:53.826046944 CET499236767192.168.2.6154.216.18.132
                Dec 18, 2024 15:34:53.945749998 CET676749923154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:07.098383904 CET499236767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:07.218607903 CET676749923154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:07.680728912 CET676749923154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:07.680872917 CET499236767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:07.916906118 CET499236767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:07.917567968 CET499566767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:08.036637068 CET676749923154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:08.037184000 CET676749956154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:08.037250042 CET499566767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:08.278867960 CET499566767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:08.398586988 CET676749956154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:19.873038054 CET499566767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:19.992697001 CET676749956154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:22.180871010 CET676749956154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:22.181025982 CET499566767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:22.323694944 CET499566767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:22.324409008 CET499766767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:22.443849087 CET676749956154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:22.444468021 CET676749976154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:22.444571018 CET499766767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:24.681260109 CET676749976154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:24.681344986 CET499766767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:24.967051029 CET499766767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:25.087577105 CET676749976154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:25.358561993 CET499796767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:25.478575945 CET676749979154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:25.478698969 CET499796767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:25.794753075 CET499796767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:25.914338112 CET676749979154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:27.725534916 CET676749979154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:27.725671053 CET499796767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:27.776089907 CET499796767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:27.777704000 CET499846767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:27.895567894 CET676749979154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:27.897383928 CET676749984154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:27.897630930 CET499846767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:28.264012098 CET499846767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:28.383601904 CET676749984154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:30.117178917 CET676749984154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:30.117278099 CET499846767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:30.119679928 CET499846767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:30.121182919 CET499906767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:30.239384890 CET676749984154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:30.241092920 CET676749990154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:30.241177082 CET499906767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:30.373555899 CET499906767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:30.493263006 CET676749990154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:32.475733995 CET676749990154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:32.476066113 CET499906767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:36.198124886 CET499906767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:36.206829071 CET500006767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:36.318483114 CET676749990154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:36.327359915 CET676750000154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:36.330665112 CET500006767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:36.385890007 CET500006767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:36.506289005 CET676750000154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:38.291667938 CET500006767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:38.411817074 CET676750000154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:38.558907986 CET676750000154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:38.559021950 CET500006767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:43.416522980 CET500006767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:43.420130968 CET500026767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:43.536570072 CET676750000154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:43.542372942 CET676750002154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:43.542471886 CET500026767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:43.571397066 CET500026767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:43.691632032 CET676750002154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:44.635478973 CET500026767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:44.755059004 CET676750002154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:45.757842064 CET676750002154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:45.760287046 CET500026767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:49.651743889 CET500026767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:49.690571070 CET500036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:49.772639990 CET676750002154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:49.810252905 CET676750003154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:49.816968918 CET500036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:50.026246071 CET500036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:50.145783901 CET676750003154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:51.245192051 CET500036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:51.365607023 CET676750003154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:52.039841890 CET676750003154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:52.040008068 CET500036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:55.310476065 CET500036767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:55.318779945 CET500046767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:55.430140972 CET676750003154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:55.438585997 CET676750004154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:55.438684940 CET500046767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:55.490000963 CET500046767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:55.609596014 CET676750004154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:55.609659910 CET500046767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:55.729307890 CET676750004154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:57.307588100 CET500046767192.168.2.6154.216.18.132
                Dec 18, 2024 15:35:57.427383900 CET676750004154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:57.696374893 CET676750004154.216.18.132192.168.2.6
                Dec 18, 2024 15:35:57.697222948 CET500046767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:00.620471001 CET500046767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:00.626435995 CET500056767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:00.740029097 CET676750004154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:00.746196032 CET676750005154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:00.746264935 CET500056767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:00.786055088 CET500056767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:00.905742884 CET676750005154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:01.369769096 CET500056767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:01.489403009 CET676750005154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:01.489458084 CET500056767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:01.610841036 CET676750005154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:02.976962090 CET676750005154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:02.977044106 CET500056767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:06.557087898 CET500056767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:06.562412977 CET500066767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:06.677205086 CET676750005154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:06.682045937 CET676750006154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:06.682121992 CET500066767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:06.728024006 CET500066767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:06.847803116 CET676750006154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:07.057173967 CET500066767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:07.177052021 CET676750006154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:07.177109003 CET500066767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:07.298517942 CET676750006154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:08.914794922 CET676750006154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:08.914861917 CET500066767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:12.153434992 CET500066767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:12.161462069 CET500076767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:12.273111105 CET676750006154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:12.281296968 CET676750007154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:12.281526089 CET500076767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:12.448368073 CET500076767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:12.570337057 CET676750007154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:12.791830063 CET500076767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:12.911631107 CET676750007154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:14.509917021 CET676750007154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:14.510034084 CET500076767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:14.511544943 CET500076767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:14.511544943 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:14.633972883 CET676750007154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:14.633991957 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:14.634218931 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:14.705612898 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:14.825490952 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:14.885267019 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:15.005418062 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:15.041661978 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:15.162569046 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:15.592147112 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:15.711932898 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:16.135116100 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:16.256041050 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:16.852710962 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:16.852790117 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:20.697434902 CET500086767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:20.699078083 CET500096767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:20.817462921 CET676750008154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:20.819046021 CET676750009154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:20.819242954 CET500096767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:20.876785994 CET500096767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:20.996531963 CET676750009154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:23.071871996 CET676750009154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:23.071955919 CET500096767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:25.917503119 CET500096767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:25.925112009 CET500106767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:26.037072897 CET676750009154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:26.045360088 CET676750010154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:26.045825958 CET500106767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:26.126307964 CET500106767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:26.245985031 CET676750010154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:28.275042057 CET676750010154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:28.275579929 CET500106767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:31.306838989 CET500106767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:31.310734987 CET500116767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:31.426282883 CET676750010154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:31.430244923 CET676750011154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:31.430315971 CET500116767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:31.470278978 CET500116767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:31.590105057 CET676750011154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:31.590162039 CET500116767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:31.711983919 CET676750011154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:33.649290085 CET676750011154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:33.649379015 CET500116767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:36.588056087 CET500116767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:36.602932930 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:36.707781076 CET676750011154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:36.723330021 CET676750012154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:36.723407030 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:36.763053894 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:36.884030104 CET676750012154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:36.884089947 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:37.003882885 CET676750012154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:37.003946066 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:37.322232008 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:37.398243904 CET676750012154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:37.441921949 CET676750012154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:38.947593927 CET676750012154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:38.947664022 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:42.010869026 CET500126767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:42.010874033 CET500136767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:42.130681992 CET676750012154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:42.130775928 CET676750013154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:42.131103039 CET500136767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:42.196151018 CET500136767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:42.315793037 CET676750013154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:44.368904114 CET676750013154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:44.370325089 CET500136767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:47.619299889 CET500136767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:47.623543978 CET500146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:47.738838911 CET676750013154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:47.743019104 CET676750014154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:47.749496937 CET500146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:48.009700060 CET500146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:48.129394054 CET676750014154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:48.137037039 CET500146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:48.257746935 CET676750014154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:49.978694916 CET676750014154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:49.979115963 CET500146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:53.166220903 CET500146767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:53.170531034 CET500156767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:53.286288023 CET676750014154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:53.290282965 CET676750015154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:53.290349007 CET500156767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:53.351938963 CET500156767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:53.471749067 CET676750015154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:53.471806049 CET500156767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:53.591331005 CET676750015154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:55.510206938 CET676750015154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:55.510422945 CET500156767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:58.416141987 CET500156767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:58.424300909 CET500166767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:58.535773039 CET676750015154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:58.544487953 CET676750016154.216.18.132192.168.2.6
                Dec 18, 2024 15:36:58.544615030 CET500166767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:58.714112043 CET500166767192.168.2.6154.216.18.132
                Dec 18, 2024 15:36:58.834526062 CET676750016154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:00.789385080 CET676750016154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:00.789457083 CET500166767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:03.775341988 CET500166767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:03.780886889 CET500176767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:03.895153046 CET676750016154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:03.900798082 CET676750017154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:03.902270079 CET500176767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:04.054075956 CET500176767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:04.173782110 CET676750017154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:04.291508913 CET500176767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:04.411519051 CET676750017154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:06.119595051 CET676750017154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:06.121289015 CET500176767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:09.228848934 CET500176767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:09.234253883 CET500186767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:09.348639011 CET676750017154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:09.354115963 CET676750018154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:09.354187012 CET500186767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:09.386980057 CET500186767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:09.506587029 CET676750018154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:11.603842020 CET676750018154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:11.603920937 CET500186767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:14.525481939 CET500186767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:14.531521082 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:14.645524979 CET676750018154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:14.650950909 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:14.652237892 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:14.817257881 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:14.938275099 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:14.947338104 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:15.067013025 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:15.067075014 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:15.186539888 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:15.186589956 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:15.306550980 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:15.306608915 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:15.427903891 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:16.931704044 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:16.931765079 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:20.291089058 CET500206767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:20.292484999 CET500216767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:20.410974979 CET676750020154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:20.412317038 CET676750021154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:20.412518978 CET500216767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:20.532336950 CET500216767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:20.652033091 CET676750021154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:20.652199030 CET500216767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:20.771960974 CET676750021154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:20.963010073 CET500216767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:21.083066940 CET676750021154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:22.541194916 CET500216767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:22.638467073 CET676750021154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:22.638813972 CET500216767192.168.2.6154.216.18.132
                Dec 18, 2024 15:37:22.661305904 CET676750021154.216.18.132192.168.2.6
                Dec 18, 2024 15:37:22.758302927 CET676750021154.216.18.132192.168.2.6

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:09:33:15
                Start date:18/12/2024
                Path:C:\Users\user\Desktop\crypted_UClient.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\crypted_UClient.exe"
                Imagebase:0x7ff79d8b0000
                File size:543'144 bytes
                MD5 hash:C1BFA131BBDEF5F2E438D5C8BBAEF2CA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4588328680.0000025193910000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4588328680.0000025193910000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:false

                General

                Target ID:4
                Start time:09:34:15
                Start date:18/12/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "UClient" /tr "C:\Users\user\AppData\Roaming\UClient.exe"
                Imagebase:0x7ff61f2b0000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:09:34:15
                Start date:18/12/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff66e660000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:6
                Start time:09:34:18
                Start date:18/12/2024
                Path:C:\Users\user\AppData\Roaming\UClient.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\AppData\Roaming\UClient.exe
                Imagebase:0x7ff718c20000
                File size:543'144 bytes
                MD5 hash:C1BFA131BBDEF5F2E438D5C8BBAEF2CA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.4194518088.0000022BB0D80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.4194871536.0000022BB0F31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000002.4191816935.0000022BAF2C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                Antivirus matches:
                • Detection: 21%, ReversingLabs
                Reputation:low
                Has exited:true

                General

                Target ID:9
                Start time:09:34:27
                Start date:18/12/2024
                Path:C:\Users\user\AppData\Roaming\UClient.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Roaming\UClient.exe"
                Imagebase:0x7ff718c20000
                File size:543'144 bytes
                MD5 hash:C1BFA131BBDEF5F2E438D5C8BBAEF2CA
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000009.00000002.3506779671.000002A2DA4C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.3506998399.000002A2DBD60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.3506998399.000002A2DBD60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.3507284880.000002A2DBFF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.3507284880.000002A2DBFF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:true

                General

                Target ID:10
                Start time:09:34:36
                Start date:18/12/2024
                Path:C:\Users\user\AppData\Roaming\UClient.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Roaming\UClient.exe"
                Imagebase:0x7ff718c20000
                File size:543'144 bytes
                MD5 hash:C1BFA131BBDEF5F2E438D5C8BBAEF2CA
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.3588257874.000001A04CED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.3588257874.000001A04CED1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.3587178647.000001A04CBF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.3587178647.000001A04CBF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000A.00000002.3585996257.000001A04B250000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                General

                Target ID:11
                Start time:09:37:00
                Start date:18/12/2024
                Path:C:\Users\user\AppData\Roaming\UClient.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\AppData\Roaming\UClient.exe
                Imagebase:0x7ff718c20000
                File size:543'144 bytes
                MD5 hash:C1BFA131BBDEF5F2E438D5C8BBAEF2CA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:56.4%
                  Dynamic/Decrypted Code Coverage:11.9%
                  Signature Coverage:49.5%
                  Total number of Nodes:734
                  Total number of Limit Nodes:6
                  execution_graph 15319 7ff79d906cb4 15320 7ff79d906ccd 15319->15320 15321 7ff79d906cd5 __scrt_acquire_startup_lock 15320->15321 15322 7ff79d906e0b 15320->15322 15324 7ff79d906e15 15321->15324 15329 7ff79d906cf3 __scrt_release_startup_lock 15321->15329 15357 7ff79d907244 IsProcessorFeaturePresent 15322->15357 15325 7ff79d907244 9 API calls 15324->15325 15326 7ff79d906e20 15325->15326 15328 7ff79d906e28 _exit 15326->15328 15327 7ff79d906d18 15329->15327 15330 7ff79d906d9e _get_initial_narrow_environment __p___argv __p___argc 15329->15330 15333 7ff79d906d96 _register_thread_local_exe_atexit_callback 15329->15333 15339 7ff79d8f18f0 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription 15330->15339 15333->15330 15336 7ff79d906dcb 15337 7ff79d906dd5 15336->15337 15338 7ff79d906dd0 _cexit 15336->15338 15337->15327 15338->15337 15344 7ff79d8f1962 15339->15344 15348 7ff79d8f1989 15339->15348 15340 7ff79d8f1a22 15373 7ff79d8fcd60 15340->15373 15341 7ff79d8f19ce 15363 7ff79d8f1db0 15341->15363 15343 7ff79d8f1a1d 15370 7ff79d907f70 15343->15370 15344->15343 15344->15348 15348->15340 15348->15341 15349 7ff79d8f1a02 15350 7ff79d8f1a13 15349->15350 15389 7ff79d908040 15349->15389 15355 7ff79d907394 GetModuleHandleW 15350->15355 15353 7ff79d8f1a6b 15353->15349 15386 7ff79d8f1d70 15353->15386 15356 7ff79d906dc7 15355->15356 15356->15326 15356->15336 15358 7ff79d90726a 15357->15358 15359 7ff79d907278 memset RtlCaptureContext RtlLookupFunctionEntry 15358->15359 15360 7ff79d9072b2 RtlVirtualUnwind 15359->15360 15361 7ff79d9072ee memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15359->15361 15360->15361 15362 7ff79d90736e 15361->15362 15362->15324 15397 7ff79d8b13f2 15363->15397 15498 7ff79d8c89b2 15363->15498 15565 7ff79d8c8d51 15363->15565 15632 7ff79d8c8db1 15363->15632 15699 7ff79d8b1415 15363->15699 15364 7ff79d8f1db6 15364->15349 15371 7ff79d907b10 47 API calls 15370->15371 15372 7ff79d907fac 15371->15372 15375 7ff79d8fcd98 15373->15375 15374 7ff79d8f1a5e 15380 7ff79d8fcee0 15374->15380 15375->15374 15376 7ff79d907b10 43 API calls 15375->15376 15377 7ff79d8fcddd 15375->15377 15376->15377 15377->15374 15378 7ff79d8fce3d GetProcessHeap HeapFree 15377->15378 15379 7ff79d8fce29 GetProcessHeap HeapFree 15377->15379 15378->15374 15379->15378 15381 7ff79d8fcef2 15380->15381 15385 7ff79d8fceec 15380->15385 15381->15353 15382 7ff79d8fe64d 15382->15353 15383 7ff79d8fe631 GetProcessHeap HeapFree 15383->15382 15384 7ff79d8fe61d GetProcessHeap HeapFree 15384->15383 15385->15382 15385->15383 15385->15384 15387 7ff79d8f1d82 GetProcessHeap HeapFree 15386->15387 15388 7ff79d8f1d7e 15386->15388 15388->15387 15390 7ff79d90806d 15389->15390 15396 7ff79d908134 15389->15396 15391 7ff79d908122 15390->15391 15392 7ff79d9080ee 15390->15392 15393 7ff79d9080c5 WaitOnAddress 15390->15393 15391->15350 15392->15391 15395 7ff79d90811c WakeByAddressAll 15392->15395 15393->15390 15394 7ff79d9080e2 GetLastError 15393->15394 15394->15390 15395->15391 15398 7ff79d8b13fb LoadLibraryA 15397->15398 15400 7ff79d8f12e0 GetLastError 15398->15400 15401 7ff79d8b149e 15398->15401 15829 7ff79d907d10 15400->15829 15403 7ff79d8b14a6 GetProcAddress 15401->15403 15405 7ff79d8f1335 15403->15405 15406 7ff79d8b14bf VirtualAlloc VirtualProtect 15403->15406 15404 7ff79d8f120a 15844 7ff79d8b1000 15404->15844 15832 7ff79d907db0 15405->15832 15409 7ff79d8f1341 GetLastError 15406->15409 15410 7ff79d8b1524 15406->15410 15411 7ff79d907d10 47 API calls 15409->15411 15800 7ff79d902800 GetProcessHeap 15410->15800 15411->15404 15415 7ff79d8b1000 2 API calls 15416 7ff79d8f14c0 15415->15416 15416->15364 15417 7ff79d8f1396 15835 7ff79d9079d3 15417->15835 15418 7ff79d8b1540 15419 7ff79d902800 2 API calls 15418->15419 15421 7ff79d8b1571 15419->15421 15422 7ff79d8f13a5 15421->15422 15425 7ff79d8b1581 15421->15425 15838 7ff79d9079b6 15422->15838 15424 7ff79d8b1745 GetProcessHeap HeapFree 15426 7ff79d8b179f 15424->15426 15425->15424 15427 7ff79d9078c0 49 API calls 15425->15427 15430 7ff79d8b16a6 15425->15430 15428 7ff79d8b17ab GetProcAddress 15426->15428 15427->15425 15429 7ff79d8f13c0 15428->15429 15432 7ff79d8b17c4 15428->15432 15431 7ff79d907db0 47 API calls 15429->15431 15430->15424 15431->15404 15433 7ff79d902800 2 API calls 15432->15433 15434 7ff79d8b181e 15433->15434 15435 7ff79d8f13d1 15434->15435 15462 7ff79d8b1827 15434->15462 15436 7ff79d9079d3 47 API calls 15435->15436 15436->15404 15437 7ff79d8f0f78 GetProcessHeap HeapFree 15438 7ff79d8f0f93 GetProcessHeap HeapFree 15437->15438 15439 7ff79d8f0fa8 15437->15439 15438->15439 15446 7ff79d8f0ff3 15439->15446 15814 7ff79d908644 15439->15814 15441 7ff79d8f107f 15444 7ff79d8f11f4 15441->15444 15450 7ff79d8f102d 15441->15450 15442 7ff79d8f101e 15443 7ff79d8f120f 15442->15443 15442->15450 15823 7ff79d907dd0 15443->15823 15818 7ff79d908560 15444->15818 15445 7ff79d8f1200 15448 7ff79d907f70 47 API calls 15445->15448 15446->15441 15446->15442 15446->15445 15448->15404 15451 7ff79d8f10e3 15450->15451 15457 7ff79d8f1101 15450->15457 15452 7ff79d8f10ec 15451->15452 15453 7ff79d8f13e5 15451->15453 15454 7ff79d8f11bb 15452->15454 15458 7ff79d8f1219 WakeByAddressSingle 15452->15458 15455 7ff79d907b10 47 API calls 15453->15455 15459 7ff79d8f11c0 15454->15459 15460 7ff79d8f1228 15454->15460 15455->15404 15456 7ff79d8f1175 GetProcessHeap HeapFree 15456->15452 15456->15454 15457->15452 15457->15456 15461 7ff79d8f1161 GetProcessHeap HeapFree 15457->15461 15458->15459 15458->15460 15464 7ff79d8f11df 15459->15464 15465 7ff79d8f11ca GetProcessHeap HeapFree 15459->15465 15826 7ff79d907b10 15460->15826 15461->15456 15466 7ff79d8c930e 15462->15466 15467 7ff79d9078c0 49 API calls 15462->15467 15468 7ff79d8c92a5 GetProcessHeap RtlFreeHeap 15462->15468 15464->15364 15465->15464 15466->15437 15467->15462 15468->15439 15470 7ff79d8c963e 15468->15470 15471 7ff79d902800 2 API calls 15470->15471 15472 7ff79d8c965c 15471->15472 15473 7ff79d8f12cd 15472->15473 15475 7ff79d902800 2 API calls 15472->15475 15474 7ff79d9079d3 47 API calls 15473->15474 15474->15404 15476 7ff79d8caf67 15475->15476 15477 7ff79d8caf73 15476->15477 15478 7ff79d8f1440 15476->15478 15480 7ff79d902800 2 API calls 15477->15480 15479 7ff79d9079d3 47 API calls 15478->15479 15479->15404 15481 7ff79d8f0c32 15480->15481 15482 7ff79d8f145f 15481->15482 15490 7ff79d8f0c42 15481->15490 15483 7ff79d9079b6 47 API calls 15482->15483 15483->15404 15484 7ff79d8f0cd5 GetProcessHeap HeapFree GetProcessHeap HeapFree 15485 7ff79d8f12a2 15484->15485 15486 7ff79d8f0d38 memcpy GetProcessHeap HeapFree 15484->15486 15803 7ff79d9078c0 15485->15803 15489 7ff79d8f0d8f VirtualAlloc 15486->15489 15488 7ff79d8f0cb6 memcmp 15488->15490 15491 7ff79d8f0dd0 VirtualProtect 15489->15491 15490->15484 15490->15488 15493 7ff79d8f0e40 VirtualProtect 15491->15493 15495 7ff79d8f0ea0 WriteProcessMemory EnumCalendarInfoA 15493->15495 15495->15459 15497 7ff79d8f0f22 GetProcessHeap HeapFree 15495->15497 15497->15437 15497->15459 15534 7ff79d8c8992 15498->15534 15535 7ff79d8c930e 15498->15535 15499 7ff79d8f0f78 GetProcessHeap HeapFree 15500 7ff79d8f0f93 GetProcessHeap HeapFree 15499->15500 15501 7ff79d8f0fa8 15499->15501 15500->15501 15502 7ff79d908644 3 API calls 15501->15502 15508 7ff79d8f0ff3 15501->15508 15502->15508 15503 7ff79d8f107f 15506 7ff79d8f11f4 15503->15506 15513 7ff79d8f102d 15503->15513 15504 7ff79d8f101e 15505 7ff79d8f120f 15504->15505 15504->15513 15511 7ff79d907dd0 47 API calls 15505->15511 15509 7ff79d908560 2 API calls 15506->15509 15507 7ff79d8f1200 15510 7ff79d907f70 47 API calls 15507->15510 15508->15503 15508->15504 15508->15507 15509->15507 15512 7ff79d8f120a 15510->15512 15511->15512 15515 7ff79d8b1000 2 API calls 15512->15515 15514 7ff79d8f10e3 15513->15514 15524 7ff79d8f1101 15513->15524 15516 7ff79d8f10ec 15514->15516 15517 7ff79d8f13e5 15514->15517 15518 7ff79d8f14ad 15515->15518 15519 7ff79d8f11bb 15516->15519 15525 7ff79d8f1219 WakeByAddressSingle 15516->15525 15520 7ff79d907b10 47 API calls 15517->15520 15521 7ff79d8b1000 2 API calls 15518->15521 15526 7ff79d8f11c0 15519->15526 15527 7ff79d8f1228 15519->15527 15520->15512 15522 7ff79d8f14c0 15521->15522 15522->15364 15523 7ff79d8f1175 GetProcessHeap HeapFree 15523->15516 15523->15519 15524->15516 15524->15523 15528 7ff79d8f1161 GetProcessHeap HeapFree 15524->15528 15525->15526 15525->15527 15531 7ff79d8f11df 15526->15531 15532 7ff79d8f11ca GetProcessHeap HeapFree 15526->15532 15530 7ff79d907b10 47 API calls 15527->15530 15528->15523 15529 7ff79d9078c0 49 API calls 15529->15534 15530->15512 15531->15364 15532->15531 15533 7ff79d8c92a5 GetProcessHeap RtlFreeHeap 15533->15501 15537 7ff79d8c963e 15533->15537 15534->15498 15534->15529 15534->15533 15534->15535 15535->15499 15538 7ff79d902800 2 API calls 15537->15538 15539 7ff79d8c965c 15538->15539 15540 7ff79d8f12cd 15539->15540 15542 7ff79d902800 2 API calls 15539->15542 15541 7ff79d9079d3 47 API calls 15540->15541 15541->15512 15543 7ff79d8caf67 15542->15543 15544 7ff79d8caf73 15543->15544 15545 7ff79d8f1440 15543->15545 15547 7ff79d902800 2 API calls 15544->15547 15546 7ff79d9079d3 47 API calls 15545->15546 15546->15512 15548 7ff79d8f0c32 15547->15548 15549 7ff79d8f145f 15548->15549 15557 7ff79d8f0c42 15548->15557 15550 7ff79d9079b6 47 API calls 15549->15550 15550->15512 15551 7ff79d8f0cd5 GetProcessHeap HeapFree GetProcessHeap HeapFree 15552 7ff79d8f12a2 15551->15552 15553 7ff79d8f0d38 memcpy GetProcessHeap HeapFree 15551->15553 15554 7ff79d9078c0 49 API calls 15552->15554 15556 7ff79d8f0d8f VirtualAlloc 15553->15556 15554->15540 15555 7ff79d8f0cb6 memcmp 15555->15557 15558 7ff79d8f0dd0 VirtualProtect 15556->15558 15557->15551 15557->15555 15560 7ff79d8f0e40 VirtualProtect 15558->15560 15562 7ff79d8f0ea0 WriteProcessMemory EnumCalendarInfoA 15560->15562 15562->15526 15564 7ff79d8f0f22 GetProcessHeap HeapFree 15562->15564 15564->15499 15564->15526 15569 7ff79d8c8992 15565->15569 15566 7ff79d8f0f78 GetProcessHeap HeapFree 15567 7ff79d8f0f93 GetProcessHeap HeapFree 15566->15567 15568 7ff79d8f0fa8 15566->15568 15567->15568 15570 7ff79d908644 3 API calls 15568->15570 15576 7ff79d8f0ff3 15568->15576 15577 7ff79d8c930e 15569->15577 15601 7ff79d9078c0 49 API calls 15569->15601 15602 7ff79d8c92a5 GetProcessHeap RtlFreeHeap 15569->15602 15570->15576 15571 7ff79d8f107f 15574 7ff79d8f11f4 15571->15574 15582 7ff79d8f102d 15571->15582 15572 7ff79d8f101e 15573 7ff79d8f120f 15572->15573 15572->15582 15580 7ff79d907dd0 47 API calls 15573->15580 15578 7ff79d908560 2 API calls 15574->15578 15575 7ff79d8f1200 15579 7ff79d907f70 47 API calls 15575->15579 15576->15571 15576->15572 15576->15575 15577->15566 15578->15575 15581 7ff79d8f120a 15579->15581 15580->15581 15584 7ff79d8b1000 2 API calls 15581->15584 15583 7ff79d8f10e3 15582->15583 15593 7ff79d8f1101 15582->15593 15585 7ff79d8f10ec 15583->15585 15586 7ff79d8f13e5 15583->15586 15587 7ff79d8f14ad 15584->15587 15588 7ff79d8f11bb 15585->15588 15594 7ff79d8f1219 WakeByAddressSingle 15585->15594 15589 7ff79d907b10 47 API calls 15586->15589 15590 7ff79d8b1000 2 API calls 15587->15590 15595 7ff79d8f11c0 15588->15595 15596 7ff79d8f1228 15588->15596 15589->15581 15591 7ff79d8f14c0 15590->15591 15591->15364 15592 7ff79d8f1175 GetProcessHeap HeapFree 15592->15585 15592->15588 15593->15585 15593->15592 15597 7ff79d8f1161 GetProcessHeap HeapFree 15593->15597 15594->15595 15594->15596 15599 7ff79d8f11df 15595->15599 15600 7ff79d8f11ca GetProcessHeap HeapFree 15595->15600 15598 7ff79d907b10 47 API calls 15596->15598 15597->15592 15598->15581 15599->15364 15600->15599 15601->15569 15602->15568 15604 7ff79d8c963e 15602->15604 15605 7ff79d902800 2 API calls 15604->15605 15606 7ff79d8c965c 15605->15606 15607 7ff79d8f12cd 15606->15607 15609 7ff79d902800 2 API calls 15606->15609 15608 7ff79d9079d3 47 API calls 15607->15608 15608->15581 15610 7ff79d8caf67 15609->15610 15611 7ff79d8caf73 15610->15611 15612 7ff79d8f1440 15610->15612 15614 7ff79d902800 2 API calls 15611->15614 15613 7ff79d9079d3 47 API calls 15612->15613 15613->15581 15615 7ff79d8f0c32 15614->15615 15616 7ff79d8f0c42 15615->15616 15617 7ff79d8f145f 15615->15617 15619 7ff79d8f0cd5 GetProcessHeap HeapFree GetProcessHeap HeapFree 15616->15619 15623 7ff79d8f0cb6 memcmp 15616->15623 15618 7ff79d9079b6 47 API calls 15617->15618 15618->15581 15620 7ff79d8f12a2 15619->15620 15621 7ff79d8f0d38 memcpy GetProcessHeap HeapFree 15619->15621 15622 7ff79d9078c0 49 API calls 15620->15622 15624 7ff79d8f0d8f VirtualAlloc 15621->15624 15622->15607 15623->15616 15625 7ff79d8f0dd0 VirtualProtect 15624->15625 15627 7ff79d8f0e40 VirtualProtect 15625->15627 15629 7ff79d8f0ea0 WriteProcessMemory EnumCalendarInfoA 15627->15629 15629->15595 15631 7ff79d8f0f22 GetProcessHeap HeapFree 15629->15631 15631->15566 15631->15595 15633 7ff79d8c8992 15632->15633 15673 7ff79d8c930e 15632->15673 15667 7ff79d9078c0 49 API calls 15633->15667 15668 7ff79d8c92a5 GetProcessHeap RtlFreeHeap 15633->15668 15633->15673 15634 7ff79d8f0f78 GetProcessHeap HeapFree 15635 7ff79d8f0f93 GetProcessHeap HeapFree 15634->15635 15636 7ff79d8f0fa8 15634->15636 15635->15636 15637 7ff79d908644 3 API calls 15636->15637 15643 7ff79d8f0ff3 15636->15643 15637->15643 15638 7ff79d8f107f 15641 7ff79d8f11f4 15638->15641 15647 7ff79d8f102d 15638->15647 15639 7ff79d8f101e 15640 7ff79d8f120f 15639->15640 15639->15647 15645 7ff79d907dd0 47 API calls 15640->15645 15646 7ff79d908560 2 API calls 15641->15646 15642 7ff79d8f1200 15644 7ff79d907f70 47 API calls 15642->15644 15643->15638 15643->15639 15643->15642 15657 7ff79d8f120a 15644->15657 15645->15657 15646->15642 15648 7ff79d8f10e3 15647->15648 15659 7ff79d8f1101 15647->15659 15650 7ff79d8f10ec 15648->15650 15651 7ff79d8f13e5 15648->15651 15649 7ff79d8b1000 2 API calls 15652 7ff79d8f14ad 15649->15652 15654 7ff79d8f11bb 15650->15654 15660 7ff79d8f1219 WakeByAddressSingle 15650->15660 15653 7ff79d907b10 47 API calls 15651->15653 15655 7ff79d8b1000 2 API calls 15652->15655 15653->15657 15661 7ff79d8f11c0 15654->15661 15662 7ff79d8f1228 15654->15662 15656 7ff79d8f14c0 15655->15656 15656->15364 15657->15649 15658 7ff79d8f1175 GetProcessHeap HeapFree 15658->15650 15658->15654 15659->15650 15659->15658 15663 7ff79d8f1161 GetProcessHeap HeapFree 15659->15663 15660->15661 15660->15662 15665 7ff79d8f11df 15661->15665 15666 7ff79d8f11ca GetProcessHeap HeapFree 15661->15666 15664 7ff79d907b10 47 API calls 15662->15664 15663->15658 15664->15657 15665->15364 15666->15665 15667->15633 15668->15636 15670 7ff79d8c963e 15668->15670 15671 7ff79d902800 2 API calls 15670->15671 15672 7ff79d8c965c 15671->15672 15674 7ff79d8f12cd 15672->15674 15676 7ff79d902800 2 API calls 15672->15676 15673->15634 15675 7ff79d9079d3 47 API calls 15674->15675 15675->15657 15677 7ff79d8caf67 15676->15677 15678 7ff79d8caf73 15677->15678 15679 7ff79d8f1440 15677->15679 15681 7ff79d902800 2 API calls 15678->15681 15680 7ff79d9079d3 47 API calls 15679->15680 15680->15657 15682 7ff79d8f0c32 15681->15682 15683 7ff79d8f145f 15682->15683 15691 7ff79d8f0c42 15682->15691 15684 7ff79d9079b6 47 API calls 15683->15684 15684->15657 15685 7ff79d8f0cd5 GetProcessHeap HeapFree GetProcessHeap HeapFree 15686 7ff79d8f12a2 15685->15686 15687 7ff79d8f0d38 memcpy GetProcessHeap HeapFree 15685->15687 15688 7ff79d9078c0 49 API calls 15686->15688 15690 7ff79d8f0d8f VirtualAlloc 15687->15690 15688->15674 15689 7ff79d8f0cb6 memcmp 15689->15691 15692 7ff79d8f0dd0 VirtualProtect 15690->15692 15691->15685 15691->15689 15694 7ff79d8f0e40 VirtualProtect 15692->15694 15696 7ff79d8f0ea0 WriteProcessMemory EnumCalendarInfoA 15694->15696 15696->15661 15698 7ff79d8f0f22 GetProcessHeap HeapFree 15696->15698 15698->15634 15698->15661 15701 7ff79d8b1410 LoadLibraryA 15699->15701 15702 7ff79d8f12e0 GetLastError 15701->15702 15703 7ff79d8b149e 15701->15703 15704 7ff79d907d10 47 API calls 15702->15704 15705 7ff79d8b14a6 GetProcAddress 15703->15705 15738 7ff79d8f120a 15704->15738 15706 7ff79d8f1335 15705->15706 15707 7ff79d8b14bf VirtualAlloc VirtualProtect 15705->15707 15708 7ff79d907db0 47 API calls 15706->15708 15710 7ff79d8f1341 GetLastError 15707->15710 15711 7ff79d8b1524 15707->15711 15708->15710 15709 7ff79d8b1000 2 API calls 15713 7ff79d8f14ad 15709->15713 15712 7ff79d907d10 47 API calls 15710->15712 15714 7ff79d902800 2 API calls 15711->15714 15712->15738 15716 7ff79d8b1000 2 API calls 15713->15716 15715 7ff79d8b1537 15714->15715 15718 7ff79d8f1396 15715->15718 15719 7ff79d8b1540 15715->15719 15717 7ff79d8f14c0 15716->15717 15717->15364 15721 7ff79d9079d3 47 API calls 15718->15721 15720 7ff79d902800 2 API calls 15719->15720 15722 7ff79d8b1571 15720->15722 15723 7ff79d8f13a5 15721->15723 15722->15723 15726 7ff79d8b1581 15722->15726 15724 7ff79d9079b6 47 API calls 15723->15724 15724->15738 15725 7ff79d8b1745 GetProcessHeap HeapFree 15727 7ff79d8b179f 15725->15727 15726->15725 15728 7ff79d9078c0 49 API calls 15726->15728 15731 7ff79d8b16a6 15726->15731 15729 7ff79d8b17ab GetProcAddress 15727->15729 15728->15726 15730 7ff79d8f13c0 15729->15730 15733 7ff79d8b17c4 15729->15733 15732 7ff79d907db0 47 API calls 15730->15732 15731->15725 15732->15738 15734 7ff79d902800 2 API calls 15733->15734 15735 7ff79d8b181e 15734->15735 15736 7ff79d8f13d1 15735->15736 15764 7ff79d8b1827 15735->15764 15737 7ff79d9079d3 47 API calls 15736->15737 15737->15738 15738->15709 15739 7ff79d8f0f78 GetProcessHeap HeapFree 15740 7ff79d8f0f93 GetProcessHeap HeapFree 15739->15740 15741 7ff79d8f0fa8 15739->15741 15740->15741 15742 7ff79d908644 3 API calls 15741->15742 15748 7ff79d8f0ff3 15741->15748 15742->15748 15743 7ff79d8f107f 15746 7ff79d8f11f4 15743->15746 15752 7ff79d8f102d 15743->15752 15744 7ff79d8f101e 15745 7ff79d8f120f 15744->15745 15744->15752 15751 7ff79d907dd0 47 API calls 15745->15751 15749 7ff79d908560 2 API calls 15746->15749 15747 7ff79d8f1200 15750 7ff79d907f70 47 API calls 15747->15750 15748->15743 15748->15744 15748->15747 15749->15747 15750->15738 15751->15738 15753 7ff79d8f10e3 15752->15753 15759 7ff79d8f1101 15752->15759 15754 7ff79d8f10ec 15753->15754 15755 7ff79d8f13e5 15753->15755 15756 7ff79d8f11bb 15754->15756 15760 7ff79d8f1219 WakeByAddressSingle 15754->15760 15757 7ff79d907b10 47 API calls 15755->15757 15761 7ff79d8f11c0 15756->15761 15762 7ff79d8f1228 15756->15762 15757->15738 15758 7ff79d8f1175 GetProcessHeap HeapFree 15758->15754 15758->15756 15759->15754 15759->15758 15763 7ff79d8f1161 GetProcessHeap HeapFree 15759->15763 15760->15761 15760->15762 15766 7ff79d8f11df 15761->15766 15767 7ff79d8f11ca GetProcessHeap HeapFree 15761->15767 15765 7ff79d907b10 47 API calls 15762->15765 15763->15758 15768 7ff79d8c930e 15764->15768 15769 7ff79d9078c0 49 API calls 15764->15769 15770 7ff79d8c92a5 GetProcessHeap RtlFreeHeap 15764->15770 15765->15738 15766->15364 15767->15766 15768->15739 15769->15764 15770->15741 15772 7ff79d8c963e 15770->15772 15773 7ff79d902800 2 API calls 15772->15773 15774 7ff79d8c965c 15773->15774 15775 7ff79d8f12cd 15774->15775 15777 7ff79d902800 2 API calls 15774->15777 15776 7ff79d9079d3 47 API calls 15775->15776 15776->15738 15778 7ff79d8caf67 15777->15778 15779 7ff79d8caf73 15778->15779 15780 7ff79d8f1440 15778->15780 15782 7ff79d902800 2 API calls 15779->15782 15781 7ff79d9079d3 47 API calls 15780->15781 15781->15738 15783 7ff79d8f0c32 15782->15783 15784 7ff79d8f145f 15783->15784 15792 7ff79d8f0c42 15783->15792 15785 7ff79d9079b6 47 API calls 15784->15785 15785->15738 15786 7ff79d8f0cd5 GetProcessHeap HeapFree GetProcessHeap HeapFree 15787 7ff79d8f12a2 15786->15787 15788 7ff79d8f0d38 memcpy GetProcessHeap HeapFree 15786->15788 15789 7ff79d9078c0 49 API calls 15787->15789 15791 7ff79d8f0d8f VirtualAlloc 15788->15791 15789->15775 15790 7ff79d8f0cb6 memcmp 15790->15792 15793 7ff79d8f0dd0 VirtualProtect 15791->15793 15792->15786 15792->15790 15795 7ff79d8f0e40 VirtualProtect 15793->15795 15797 7ff79d8f0ea0 WriteProcessMemory EnumCalendarInfoA 15795->15797 15797->15761 15799 7ff79d8f0f22 GetProcessHeap HeapFree 15797->15799 15799->15739 15799->15761 15801 7ff79d8b1537 15800->15801 15802 7ff79d90281c HeapAlloc 15800->15802 15801->15417 15801->15418 15802->15801 15804 7ff79d907985 15803->15804 15811 7ff79d9078d2 15803->15811 15805 7ff79d9079b6 47 API calls 15804->15805 15807 7ff79d90796b 15805->15807 15806 7ff79d9079a9 15808 7ff79d9079b6 47 API calls 15806->15808 15809 7ff79d9079b6 47 API calls 15807->15809 15813 7ff79d907972 15807->15813 15810 7ff79d9079b5 15808->15810 15809->15806 15811->15806 15811->15807 15847 7ff79d8b1040 15811->15847 15813->15473 15815 7ff79d90865f 15814->15815 15817 7ff79d908659 15814->15817 15816 7ff79d908040 3 API calls 15815->15816 15816->15817 15817->15446 15819 7ff79d908579 15818->15819 15820 7ff79d9085a0 15819->15820 15821 7ff79d9085cc WaitOnAddress 15819->15821 15820->15445 15821->15819 15822 7ff79d9085e9 GetLastError 15821->15822 15822->15819 15824 7ff79d907b10 47 API calls 15823->15824 15825 7ff79d907e3b 15824->15825 15853 7ff79d904a20 15826->15853 15830 7ff79d907b10 47 API calls 15829->15830 15831 7ff79d907d90 15830->15831 15833 7ff79d907b50 47 API calls 15832->15833 15834 7ff79d907dce 15833->15834 16017 7ff79d8f1da0 15835->16017 15839 7ff79d9079c5 15838->15839 15840 7ff79d9079cd 15838->15840 15841 7ff79d8f1e00 47 API calls 15839->15841 15842 7ff79d9079d3 47 API calls 15840->15842 15841->15840 15843 7ff79d9079d2 15842->15843 15845 7ff79d8b100a GetProcessHeap HeapFree 15844->15845 15846 7ff79d8b1027 15844->15846 15845->15846 15846->15415 15848 7ff79d8b1059 15847->15848 15849 7ff79d8b107c 15847->15849 15848->15849 15851 7ff79d8b1060 GetProcessHeap RtlReAllocateHeap 15848->15851 15850 7ff79d8b1092 15849->15850 15852 7ff79d902800 2 API calls 15849->15852 15850->15807 15851->15850 15852->15850 15856 7ff79d904a40 15853->15856 15859 7ff79d904a50 15856->15859 15861 7ff79d904a74 15859->15861 15860 7ff79d904ac3 15862 7ff79d904b3b 45 API calls 15860->15862 15861->15860 15867 7ff79d904b3b 15861->15867 15864 7ff79d904afa 15862->15864 15865 7ff79d904a4f 15864->15865 15866 7ff79d904b1b GetProcessHeap HeapFree 15864->15866 15866->15865 15868 7ff79d9057c6 15867->15868 15869 7ff79d904b8b 15867->15869 15870 7ff79d8fcd60 35 API calls 15868->15870 15871 7ff79d90583e 15869->15871 15878 7ff79d904bab 15869->15878 15872 7ff79d905832 15870->15872 15874 7ff79d8fcd60 35 API calls 15871->15874 15875 7ff79d8fcee0 4 API calls 15872->15875 15873 7ff79d904c89 15876 7ff79d904ead 15873->15876 15882 7ff79d904db3 15873->15882 15874->15872 15877 7ff79d9058d2 15875->15877 15917 7ff79d905c10 15876->15917 15880 7ff79d8fcd60 35 API calls 15877->15880 15878->15873 15879 7ff79d904d68 15878->15879 15881 7ff79d904d0e WaitOnAddress 15878->15881 15883 7ff79d907b10 35 API calls 15879->15883 15884 7ff79d905911 15880->15884 15881->15878 15885 7ff79d904d2b GetLastError 15881->15885 15889 7ff79d902800 2 API calls 15882->15889 15910 7ff79d904e0d 15882->15910 15883->15873 15887 7ff79d8fcee0 4 API calls 15884->15887 15885->15878 15888 7ff79d905920 15887->15888 15891 7ff79d905968 15888->15891 15895 7ff79d8f1d70 2 API calls 15888->15895 15892 7ff79d904fb6 15889->15892 15890 7ff79d904eff 15890->15877 15893 7ff79d904f26 15890->15893 15896 7ff79d8f1d70 2 API calls 15891->15896 15898 7ff79d9079d3 35 API calls 15892->15898 15892->15910 15930 7ff79d9027e0 15893->15930 15895->15891 15897 7ff79d905977 15896->15897 15897->15860 15898->15910 15899 7ff79d908560 2 API calls 15899->15910 15900 7ff79d8fcd60 35 API calls 15900->15910 15901 7ff79d8fcee0 4 API calls 15901->15910 15902 7ff79d9051cf GetProcessHeap HeapFree 15902->15910 15905 7ff79d905560 SetLastError GetEnvironmentVariableW 15907 7ff79d90557d GetLastError 15905->15907 15905->15910 15906 7ff79d908470 35 API calls 15906->15910 15908 7ff79d90566f GetLastError 15907->15908 15907->15910 15908->15910 15909 7ff79d905593 GetLastError 15909->15910 15910->15899 15910->15900 15910->15901 15910->15902 15910->15905 15910->15906 15910->15909 15913 7ff79d8f1d70 GetProcessHeap HeapFree 15910->15913 15914 7ff79d90577f GetProcessHeap 15910->15914 15915 7ff79d905769 GetProcessHeap 15910->15915 15933 7ff79d900db0 15910->15933 15958 7ff79d907b50 15910->15958 15961 7ff79d8ffed0 15910->15961 15975 7ff79d907b40 15910->15975 15913->15910 15916 7ff79d905787 HeapFree 15914->15916 15915->15916 15916->15910 15918 7ff79d905c30 15917->15918 15919 7ff79d905c2e 15917->15919 15920 7ff79d908857 15918->15920 15921 7ff79d9088e9 15918->15921 15919->15890 15922 7ff79d90887f 15920->15922 15924 7ff79d90886a WakeByAddressSingle 15920->15924 15923 7ff79d907b50 44 API calls 15921->15923 15925 7ff79d908889 15922->15925 15927 7ff79d9088b0 WakeByAddressSingle 15922->15927 15928 7ff79d90889e 15922->15928 15926 7ff79d908901 15923->15926 15924->15922 15925->15928 15929 7ff79d9088d4 WakeByAddressAll 15925->15929 15927->15928 15927->15929 15928->15890 15929->15928 15980 7ff79d8f5810 15930->15980 15934 7ff79d900e50 15933->15934 15935 7ff79d900dcd 15933->15935 15936 7ff79d9079b6 44 API calls 15934->15936 15937 7ff79d900e6a 15935->15937 15945 7ff79d900e36 15935->15945 15991 7ff79d8feb30 15935->15991 15936->15945 15938 7ff79d9079b6 44 API calls 15937->15938 15940 7ff79d900e72 lstrlenW 15938->15940 15939 7ff79d9079b6 44 API calls 15939->15937 15941 7ff79d901018 15940->15941 15950 7ff79d900eb2 15940->15950 15944 7ff79d907d10 44 API calls 15941->15944 15943 7ff79d900f76 15943->15910 15946 7ff79d901040 15944->15946 15945->15939 15947 7ff79d900e3c 15945->15947 16008 7ff79d907ea4 15946->16008 15947->15910 15950->15943 15951 7ff79d900f78 15950->15951 15952 7ff79d900f67 memcmp 15950->15952 15953 7ff79d900db0 44 API calls 15951->15953 15954 7ff79d900f8a 15951->15954 15952->15943 15952->15950 15953->15954 15955 7ff79d900fc5 memcpy 15954->15955 15997 7ff79d908470 15954->15997 15955->15943 15959 7ff79d907b10 47 API calls 15958->15959 15960 7ff79d907b8d 15959->15960 15962 7ff79d9001c4 15961->15962 15963 7ff79d8fff04 15961->15963 16011 7ff79d8f1e00 15962->16011 15965 7ff79d902800 2 API calls 15963->15965 15972 7ff79d8fff36 15963->15972 15967 7ff79d8fff21 15965->15967 15970 7ff79d9079d3 44 API calls 15967->15970 15967->15972 15970->15972 15971 7ff79d900195 15971->15910 15972->15971 15973 7ff79d9000cc memcpy 15972->15973 15974 7ff79d908470 44 API calls 15972->15974 15973->15972 15974->15972 16014 7ff79d8f2ce0 15975->16014 15981 7ff79d8f581c 15980->15981 15982 7ff79d8f58ae 15981->15982 15983 7ff79d8f5930 GetProcessHeap HeapFree 15981->15983 15982->15910 15984 7ff79d8f58bd 15983->15984 15985 7ff79d9047e0 47 API calls 15984->15985 15986 7ff79d8f58c2 15985->15986 15987 7ff79d907ea4 47 API calls 15986->15987 15988 7ff79d8f58e3 15987->15988 15989 7ff79d907b10 47 API calls 15988->15989 15990 7ff79d8f592c 15989->15990 15992 7ff79d8feb72 15991->15992 15993 7ff79d8feb4f 15991->15993 15995 7ff79d8feb88 15992->15995 15996 7ff79d902800 GetProcessHeap HeapAlloc 15992->15996 15993->15992 15994 7ff79d8feb56 GetProcessHeap HeapReAlloc 15993->15994 15994->15995 15995->15945 15996->15995 15998 7ff79d908531 15997->15998 16005 7ff79d908488 15997->16005 15999 7ff79d9079b6 47 API calls 15998->15999 16001 7ff79d908518 15999->16001 16000 7ff79d908553 16002 7ff79d9079b6 47 API calls 16000->16002 16003 7ff79d9079b6 47 API calls 16001->16003 16007 7ff79d90100e 16001->16007 16004 7ff79d90855f 16002->16004 16003->16000 16005->16000 16005->16001 16006 7ff79d8feb30 GetProcessHeap HeapReAlloc GetProcessHeap HeapAlloc 16005->16006 16006->16001 16007->15955 16009 7ff79d907ec0 47 API calls 16008->16009 16010 7ff79d907eb3 16009->16010 16012 7ff79d907b10 47 API calls 16011->16012 16013 7ff79d8f1e38 16012->16013 16015 7ff79d907b10 47 API calls 16014->16015 16016 7ff79d8f2d4e 16015->16016 16020 7ff79d9061b0 16017->16020 16031 7ff79d906190 16020->16031 16023 7ff79d906250 16025 7ff79d9079b6 47 API calls 16023->16025 16024 7ff79d906203 16044 7ff79d906280 16024->16044 16026 7ff79d906236 16025->16026 16027 7ff79d9079b6 47 API calls 16026->16027 16030 7ff79d8f1da9 16026->16030 16029 7ff79d906274 16027->16029 16050 7ff79d904690 16031->16050 16034 7ff79d906190 47 API calls 16035 7ff79d9061c8 16034->16035 16036 7ff79d906250 16035->16036 16038 7ff79d906203 16035->16038 16037 7ff79d9079b6 47 API calls 16036->16037 16042 7ff79d906236 16037->16042 16040 7ff79d906280 4 API calls 16038->16040 16039 7ff79d9079b6 47 API calls 16041 7ff79d906274 16039->16041 16040->16042 16042->16039 16043 7ff79d9061c8 16042->16043 16043->16023 16043->16024 16045 7ff79d906294 16044->16045 16046 7ff79d9062b7 16044->16046 16045->16046 16047 7ff79d90629b GetProcessHeap HeapReAlloc 16045->16047 16048 7ff79d902800 2 API calls 16046->16048 16049 7ff79d9062c8 16047->16049 16048->16049 16049->16026 16051 7ff79d8fcd60 43 API calls 16050->16051 16053 7ff79d904703 16051->16053 16052 7ff79d90477b 16052->16034 16053->16052 16054 7ff79d904767 GetProcessHeap HeapFree 16053->16054 16055 7ff79d904753 GetProcessHeap HeapFree 16053->16055 16054->16052 16055->16054 15229 25191f6b7e7 15255 25191f6d277 15229->15255 15232 25191f6d277 LoadLibraryA 15233 25191f6b823 15232->15233 15234 25191f6d277 LoadLibraryA 15233->15234 15235 25191f6b839 15234->15235 15236 25191f6b84b VirtualAlloc 15235->15236 15240 25191f6b864 15235->15240 15237 25191f6b890 15236->15237 15236->15240 15238 25191f6d277 LoadLibraryA 15237->15238 15237->15240 15242 25191f6b908 15238->15242 15239 25191f6d277 LoadLibraryA 15241 25191f6b960 15239->15241 15241->15239 15241->15240 15244 25191f6b9a1 15241->15244 15242->15240 15242->15241 15273 25191f6cfe7 15242->15273 15244->15240 15254 25191f6ba1d 15244->15254 15277 25191f6a737 15244->15277 15246 25191f6b9f3 15249 25191f6b9f7 15246->15249 15259 25191f6a863 15246->15259 15247 25191f6bb2f 15291 25191f6bfef 15247->15291 15248 25191f6badf 15248->15240 15268 25191f6b56f 15248->15268 15249->15240 15249->15246 15254->15240 15254->15247 15254->15248 15257 25191f6d2ae 15255->15257 15256 25191f6b810 15256->15232 15257->15256 15301 25191f6ad83 15257->15301 15260 25191f6cfe7 LoadLibraryA 15259->15260 15261 25191f6a881 15260->15261 15262 25191f6d0cf LoadLibraryA 15261->15262 15263 25191f6a896 15262->15263 15264 25191f6a8e0 15263->15264 15265 25191f6a89e VirtualProtect 15263->15265 15264->15240 15264->15254 15265->15264 15266 25191f6a8b8 15265->15266 15267 25191f6a8ca VirtualProtect 15266->15267 15267->15264 15269 25191f6b5ac CLRCreateInstance 15268->15269 15270 25191f6b5c5 15268->15270 15269->15270 15271 25191f6b6d2 SysAllocString 15270->15271 15272 25191f6b674 15270->15272 15271->15272 15272->15240 15272->15272 15276 25191f6d005 15273->15276 15274 25191f6d0b0 LoadLibraryA 15275 25191f6d0b8 15274->15275 15275->15242 15276->15274 15276->15275 15278 25191f6cfe7 LoadLibraryA 15277->15278 15279 25191f6a756 15278->15279 15280 25191f6a75e 15279->15280 15281 25191f6d0cf LoadLibraryA 15279->15281 15280->15246 15282 25191f6a77d 15281->15282 15282->15280 15283 25191f6a7a0 VirtualProtect 15282->15283 15283->15280 15284 25191f6a7be 15283->15284 15285 25191f6a7cc VirtualProtect 15284->15285 15286 25191f6d0cf LoadLibraryA 15285->15286 15287 25191f6a7f4 15286->15287 15287->15280 15288 25191f6a80f VirtualProtect 15287->15288 15288->15280 15289 25191f6a828 15288->15289 15290 25191f6a836 VirtualProtect 15289->15290 15290->15280 15292 25191f6c044 15291->15292 15293 25191f6cfe7 LoadLibraryA 15292->15293 15295 25191f6c4d3 15292->15295 15296 25191f6d0cf LoadLibraryA 15292->15296 15300 25191f6c879 15292->15300 15293->15292 15294 25191f6cfe7 LoadLibraryA 15294->15295 15295->15294 15297 25191f6d0cf LoadLibraryA 15295->15297 15298 25191f6c562 15295->15298 15296->15292 15297->15295 15298->15300 15315 25191f6cd8b 15298->15315 15300->15240 15302 25191f6ae5c 15301->15302 15303 25191f6adc5 15301->15303 15302->15257 15303->15302 15305 25191f6af4b 15303->15305 15306 25191f6af8e 15305->15306 15307 25191f6afb7 15305->15307 15306->15307 15310 25191f6afc7 15306->15310 15311 25191f6d0cf 15306->15311 15308 25191f6cfe7 LoadLibraryA 15307->15308 15307->15310 15308->15310 15310->15302 15312 25191f6d105 15311->15312 15314 25191f6d23f 15311->15314 15313 25191f6af4b LoadLibraryA 15312->15313 15312->15314 15313->15314 15314->15306 15318 25191f6cdc7 15315->15318 15316 25191f6cfc1 15316->15300 15317 25191f6d0cf LoadLibraryA 15317->15318 15318->15316 15318->15317 16056 25191f6a7a6 VirtualProtect 16057 25191f6a7be 16056->16057 16058 25191f6a75e 16056->16058 16059 25191f6a7cc VirtualProtect 16057->16059 16060 25191f6d0cf LoadLibraryA 16059->16060 16061 25191f6a7f4 16060->16061 16061->16058 16062 25191f6a80f VirtualProtect 16061->16062 16062->16058 16063 25191f6a828 16062->16063 16064 25191f6a836 VirtualProtect 16063->16064 16064->16058

                  Executed Functions

                  Function 00007FF79D8C8DB1 Relevance: 54.6, APIs: 9, Strings: 11, Instructions: 19632memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4594083443.00007FF79D8B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79D8B0000, based on PE: true
                  • Associated: 00000000.00000002.4594046395.00007FF79D8B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4594326198.00007FF79D909000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4594487929.00007FF79D933000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4594559536.00007FF79D934000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ff79d8b0000_crypted_UClient.jbxd
                  Similarity
                  • API ID: Heap$FreeProcess
                  • String ID: -diuu:n$antioptimistazotemicbiosatellitesnoilsbedizenpoliticizedhelldogaeroplanesprolongatingnonrivalsdoorlessransomedbeclamoringdialectallypisiformsliteratelyfyrdchionanthusfloridianphysalispiositypolydomousaliaselectrojetinhumingdisseisoressclitellumfinedhyteasthmog$bechegermalclampdowndoggieryoungberrypinnulatedetouffechelidoninemindsicknessnecrogenousmacedoinecasinanephrogeneticislamaustriaprosaismsmashalherpetichingecorneraboriginesframambidexteritydaguerreotypephylesesfelwortsbiodynamicalantesignanicrumbledliquorishly$effusesmonochromaticfarinulentgipsymicrolitediscerptibilitycapsomersinghiloispipericdissidentlyclystersgrandsiremountebankishpseudofinallyconveyancerblanquillocelebratespatrilocalitylootableabamperesnonillustrativeoculozygomaticyearlongordhammerworkapologizesl$evisceratedpapiamentoaraliaceaehophoneybeesflongsfurledconcluderslapillodufferdarktowninflatorsplainestnondistortednesscrookeriesopisthocomimastermennonreverentlyhispinaeenergisesindefinablenessovercoldlycrawinermousbeachwardnorwayexaminateantivenerealinfantes$hapalotisarsoniumladenedjinketramisectomyoriganperiaugerhartungenicicaboycottageponticgrumpilyoppugnedmalvasianeblispishquowlatriscommitteemenchristhoodhairclothballascalmativemandyasesdesexinganguillaclosablebramahpalliditarsatepinnaerecompensateenfetteredhal$hubbleatweenfretumhomoeoplasiapredisruptionconceptionistkayanbotanisedinturnedmisinformsnonexcitingbedstaffproletarianisinginterrogativegoloshesenterableexhilaratoraviationalimprovisingdialyzabilitycooledpluggablemisthinkingnonintrusivebottommostisonephelicmen$niftinesscuckooemphasiseanacanthhoodchangednessnonabstractednondeludinghimalayaprereformnugaciousharmelexhorterarthritisforbreakfausequartzoidmetapleuralmodernitiesascidiatecosponsorsacroporeincantatorparmeseislandhoodmicrergateextensorsmyelospongiumbuxomerhol$orthoplumbateductilelycausticityhastiflyasylabiapraiseworthinessnongremialcentennialneighborlinessprocommunistsboldfacednessglassierchlorhydratemultigermmidoceancarrellglibberycrappieshecateanclangingargylereapdoleischiocavernosuscomsomoldegradinglybiocontrolc$photostereographjumpoffscimbalomspterothoraxnondisarmamentreadjudicatedphotographicdiastaseshemiteraticsbiotechnologicalboltuprightnessarcanalinsubordinationminxprovitaminpentanitrateeleutherophyllousanticyclonesoutdrinkpreresorteyghtdeindividuategspulliseejan$stdoutstd\src\io\mod.rsfailed to write whole buffer
                  • API String ID: 3859560861-1252538027
                  • Opcode ID: 9315c47a18cfe1f08769f1559dc8fea3f5975e8475470d351807184fe33282b9
                  • Instruction ID: bc6fbd32e49b3bb3a39638e01a37634cfdc19c4d118876d719215d9d416d9338
                  • Opcode Fuzzy Hash: 9315c47a18cfe1f08769f1559dc8fea3f5975e8475470d351807184fe33282b9
                  • Instruction Fuzzy Hash: 12F47536509FA9D4E790EB10FA8CBDA73ACFB08314F924129E6CC92350EFB95959C351
                  Function 0000025191F6B7E7 Relevance: 1.6, APIs: 1, Instructions: 380memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1485 25191f6b7e7-25191f6b83f call 25191f6d277 * 3 1492 25191f6b871 1485->1492 1493 25191f6b841-25191f6b844 1485->1493 1495 25191f6b874-25191f6b88f 1492->1495 1493->1492 1494 25191f6b846-25191f6b849 1493->1494 1494->1492 1496 25191f6b84b-25191f6b862 VirtualAlloc 1494->1496 1497 25191f6b864-25191f6b86b 1496->1497 1498 25191f6b890-25191f6b8bb call 25191f6d857 call 25191f6d877 1496->1498 1497->1492 1499 25191f6b86d 1497->1499 1504 25191f6b8f8-25191f6b90f call 25191f6d277 1498->1504 1505 25191f6b8bd-25191f6b8f2 call 25191f6d477 call 25191f6d2eb 1498->1505 1499->1492 1504->1492 1511 25191f6b915-25191f6b916 1504->1511 1505->1504 1514 25191f6bb45-25191f6bb56 1505->1514 1513 25191f6b91c-25191f6b922 1511->1513 1515 25191f6b924 1513->1515 1516 25191f6b960-25191f6b96a 1513->1516 1519 25191f6bb58-25191f6bb62 1514->1519 1520 25191f6bb89-25191f6bbaa call 25191f6d877 1514->1520 1521 25191f6b926-25191f6b928 1515->1521 1517 25191f6b9a1-25191f6b9aa 1516->1517 1518 25191f6b96c-25191f6b987 call 25191f6d277 1516->1518 1524 25191f6b9c5-25191f6b9c8 1517->1524 1525 25191f6b9ac-25191f6b9b6 call 25191f6a8f3 1517->1525 1537 25191f6b996-25191f6b99f 1518->1537 1538 25191f6b989-25191f6b990 1518->1538 1519->1520 1526 25191f6bb64-25191f6bb82 call 25191f6d877 1519->1526 1550 25191f6bbb0-25191f6bbb2 1520->1550 1551 25191f6bbac 1520->1551 1527 25191f6b942-25191f6b944 1521->1527 1528 25191f6b92a-25191f6b930 1521->1528 1524->1514 1534 25191f6b9ce-25191f6b9d8 1524->1534 1525->1514 1547 25191f6b9bc-25191f6b9c3 1525->1547 1526->1520 1527->1516 1535 25191f6b946-25191f6b95e call 25191f6cfe7 1527->1535 1528->1527 1533 25191f6b932-25191f6b940 1528->1533 1533->1521 1533->1527 1541 25191f6b9e2-25191f6b9e9 1534->1541 1542 25191f6b9da-25191f6b9db 1534->1542 1535->1513 1537->1517 1537->1518 1538->1514 1538->1537 1544 25191f6ba1d-25191f6ba21 1541->1544 1545 25191f6b9eb-25191f6b9ec 1541->1545 1542->1541 1552 25191f6ba27-25191f6ba50 1544->1552 1553 25191f6bad5-25191f6badd 1544->1553 1549 25191f6b9ee call 25191f6a737 1545->1549 1547->1541 1554 25191f6b9f3-25191f6b9f5 1549->1554 1550->1495 1551->1550 1552->1514 1566 25191f6ba56-25191f6ba70 call 25191f6d857 1552->1566 1555 25191f6bb2f-25191f6bb35 call 25191f6bfef 1553->1555 1556 25191f6badf-25191f6bae5 1553->1556 1557 25191f6b9f7-25191f6b9fe 1554->1557 1558 25191f6ba04-25191f6ba07 call 25191f6a863 1554->1558 1564 25191f6bb3a-25191f6bb41 1555->1564 1560 25191f6bae7-25191f6baed 1556->1560 1561 25191f6bafc-25191f6bb0e call 25191f6b56f 1556->1561 1557->1514 1557->1558 1569 25191f6ba0c-25191f6ba0e 1558->1569 1560->1564 1565 25191f6baef-25191f6bafa call 25191f6ca8f 1560->1565 1573 25191f6bb20-25191f6bb2d call 25191f6affb 1561->1573 1574 25191f6bb10-25191f6bb1b call 25191f6bbb7 1561->1574 1564->1514 1570 25191f6bb43 1564->1570 1565->1564 1578 25191f6ba72-25191f6ba75 1566->1578 1579 25191f6ba8c-25191f6bad0 1566->1579 1569->1544 1575 25191f6ba10-25191f6ba17 1569->1575 1570->1570 1573->1564 1574->1573 1575->1514 1575->1544 1578->1553 1582 25191f6ba77-25191f6ba8a call 25191f6d5db 1578->1582 1579->1514 1587 25191f6bad2-25191f6bad3 1579->1587 1582->1587 1587->1553
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025191F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_25191f60000_crypted_UClient.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
                  • Instruction ID: 44b2818574fda2958d9fac7adca771cc7e219172ab87d746b5aa1d05758d18fe
                  • Opcode Fuzzy Hash: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
                  • Instruction Fuzzy Hash: BAC19930754D0D4BEBA8EB38CCA97B9B3D1FB54342F144529D44AC3186DB38E8AAC785
                  Function 00007FFD345F6816 Relevance: .5, Instructions: 470COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf8acd1405207128f6153a105d0c141b2b2c2c41e4f8ebb40aebd775625b66e5
                  • Instruction ID: dd644785f5142addc07f2305d74a4e8ba47543b75691e259fe798acca2d1d6c8
                  • Opcode Fuzzy Hash: cf8acd1405207128f6153a105d0c141b2b2c2c41e4f8ebb40aebd775625b66e5
                  • Instruction Fuzzy Hash: E6F1B531A18A8D8FEBA9DF28C8557E937D1FF55310F04426EE84DC7691DF38A9418B82
                  Function 00007FFD345F75C2 Relevance: .5, Instructions: 456COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af2a3d8aca187134012a5fc42d46a141ed7f1c7acdee61f0d40b8607dbf33460
                  • Instruction ID: 816abe2b8df2d9a88881fee5159f767b064b59687cebcab8bfc60afdda56562f
                  • Opcode Fuzzy Hash: af2a3d8aca187134012a5fc42d46a141ed7f1c7acdee61f0d40b8607dbf33460
                  • Instruction Fuzzy Hash: 69E1D431A18A4E8FEBA9DF28C8657E977D1FF55310F04426ED84DC3691CE78A940CB82
                  Function 0000025191F6BBB7 Relevance: .4, Instructions: 409COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025191F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_25191f60000_crypted_UClient.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
                  • Instruction ID: 14fe2f7ab0d4c0bd45523c3a36100fd1fb3cba3139f8419247f3dd19dd87e989
                  • Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
                  • Instruction Fuzzy Hash: 83E16131618A0C8FDB59DF28D8996EAB7E1FF98301F00466DE84AC7155DF30D995CB82
                  Function 00007FFD345F1541 Relevance: .2, Instructions: 193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 342ae9d4e4b11ae8d4839a2fdbed459b9d397cd41cc1d9309968ec24badc3166
                  • Instruction ID: 743413ad5ca26a94c00da0097848bd2ab037b1c3f70fb9cb04e8838fc6e85686
                  • Opcode Fuzzy Hash: 342ae9d4e4b11ae8d4839a2fdbed459b9d397cd41cc1d9309968ec24badc3166
                  • Instruction Fuzzy Hash: 8151F021B5E6C94FD796AB7848B52757FD5DF8B225B0801FBE08EC7193DD186806C342
                  Function 0000025191F6A737 Relevance: 6.1, APIs: 4, Instructions: 133memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025191F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_25191f60000_crypted_UClient.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProtectVirtual$LibraryLoad
                  • String ID:
                  • API String ID: 895956442-0
                  • Opcode ID: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
                  • Instruction ID: d45829b4ec597d007f7a44188537af49057e64daba4e2179c87940eb93f74522
                  • Opcode Fuzzy Hash: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
                  • Instruction Fuzzy Hash: 4B319031308E0C4BDB58EA38AC6936A73D5E7C8361F10462AA84BC32CADD78DD5A4385
                  Function 0000025191F6A7A6 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025191F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_25191f60000_crypted_UClient.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProtectVirtual
                  • String ID:
                  • API String ID: 544645111-0
                  • Opcode ID: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
                  • Instruction ID: a0c35d99b22703f431de06ad0cb16488e8ddcf7e9fab9dd613f6bf7760c80e15
                  • Opcode Fuzzy Hash: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
                  • Instruction Fuzzy Hash: FD214F3170CA0C4BDB58EA7CAC6936973D1FB88751F10456AA84BC328ADD38DD564785
                  Function 0000025191F6CFE7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1290 25191f6cfe7-25191f6d003 1291 25191f6d005-25191f6d009 1290->1291 1292 25191f6d01e-25191f6d02d 1290->1292 1291->1292 1293 25191f6d00b-25191f6d01c 1291->1293 1294 25191f6d02f-25191f6d054 1292->1294 1295 25191f6d059-25191f6d06b 1292->1295 1293->1291 1293->1292 1294->1295 1296 25191f6d06e-25191f6d075 1295->1296 1297 25191f6d077-25191f6d086 1296->1297 1298 25191f6d0b0-25191f6d0b5 LoadLibraryA 1296->1298 1299 25191f6d088-25191f6d0a1 call 25191f6d8b3 1297->1299 1300 25191f6d0a3-25191f6d0a9 1297->1300 1301 25191f6d0b8-25191f6d0c7 1298->1301 1299->1300 1305 25191f6d0c8-25191f6d0cb 1299->1305 1300->1296 1303 25191f6d0ab-25191f6d0ae 1300->1303 1303->1298 1303->1301 1305->1301
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025191F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_25191f60000_crypted_UClient.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: l
                  • API String ID: 1029625771-2517025534
                  • Opcode ID: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
                  • Instruction ID: 37d54718f6dc6d37af77256fe241004ee8e7eb3228e975715fa8220b1d4d5ac7
                  • Opcode Fuzzy Hash: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
                  • Instruction Fuzzy Hash: 9131012055CE8D4FE795EB388448B21BBD4FBA9349F245AACC0CEC3197D734C84A8705
                  Function 0000025191F6B56F Relevance: 3.3, APIs: 2, Instructions: 261memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1306 25191f6b56f-25191f6b5a6 1307 25191f6b646-25191f6b64d 1306->1307 1308 25191f6b5ac-25191f6b5bf CLRCreateInstance 1306->1308 1309 25191f6b64f-25191f6b668 1307->1309 1310 25191f6b670-25191f6b672 1307->1310 1311 25191f6b5c5-25191f6b601 1308->1311 1312 25191f6b67f-25191f6b682 1308->1312 1309->1310 1313 25191f6b684-25191f6b690 1310->1313 1314 25191f6b674-25191f6b67a 1310->1314 1321 25191f6b603-25191f6b616 1311->1321 1322 25191f6b63f-25191f6b640 1311->1322 1312->1309 1319 25191f6b7c7-25191f6b7c8 1313->1319 1320 25191f6b696-25191f6b6a4 1313->1320 1316 25191f6b7ca-25191f6b7e5 1314->1316 1319->1316 1323 25191f6b6b8-25191f6b6f0 SysAllocString 1320->1323 1324 25191f6b6a6-25191f6b6b6 1320->1324 1321->1309 1329 25191f6b618-25191f6b620 1321->1329 1325 25191f6b642-25191f6b644 1322->1325 1332 25191f6b6f4-25191f6b6f8 1323->1332 1330 25191f6b700-25191f6b703 1324->1330 1325->1307 1325->1309 1329->1325 1331 25191f6b622-25191f6b638 1329->1331 1330->1319 1333 25191f6b709-25191f6b721 1330->1333 1335 25191f6b63d 1331->1335 1332->1330 1333->1319 1336 25191f6b727-25191f6b758 1333->1336 1335->1325 1336->1319 1338 25191f6b75a-25191f6b766 1336->1338 1339 25191f6b768-25191f6b77b 1338->1339 1340 25191f6b781-25191f6b78c 1338->1340 1339->1339 1341 25191f6b77d-25191f6b77e 1339->1341 1342 25191f6b794-25191f6b7a6 1340->1342 1341->1340 1343 25191f6b7a8-25191f6b7bc 1342->1343 1344 25191f6b7be-25191f6b7bf 1342->1344 1343->1343 1343->1344 1344->1319
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025191F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_25191f60000_crypted_UClient.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocCreateInstanceString
                  • String ID:
                  • API String ID: 218245030-0
                  • Opcode ID: 442c16bc98548f2fd16eb1ef95e6c8939e12c91b638b245e658edfcf924a79c1
                  • Instruction ID: 26024863f4b1dc095e201138889573c47322484d2692673a63b11f4fd7428631
                  • Opcode Fuzzy Hash: 442c16bc98548f2fd16eb1ef95e6c8939e12c91b638b245e658edfcf924a79c1
                  • Instruction Fuzzy Hash: E2917C30218E088FD768EF38CC997A6B7E0FF99301F104A6DD49AC7151DB35E9598B86
                  Function 0000025191F6A863 Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4587719290.0000025191F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025191F60000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_25191f60000_crypted_UClient.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProtectVirtual$LibraryLoad
                  • String ID:
                  • API String ID: 895956442-0
                  • Opcode ID: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
                  • Instruction ID: 248e4248e38ebec35afcbb2f76dc8e9a98c9627150e1149edeb6a8e8df8d5129
                  • Opcode Fuzzy Hash: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
                  • Instruction Fuzzy Hash: 3511E530758E0C4BDB94EB389C98B6A73E5FBC8341F044969AC4AC3245DE34DD868782
                  Function 00007FFD345F02F0 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1365 7ffd345f02f0-7ffd345f2819 call 7ffd345f02f8 call 7ffd345f0348 1391 7ffd345f281b-7ffd345f2822 1365->1391 1392 7ffd345f2828-7ffd345f2856 1365->1392 1391->1392 1393 7ffd345f2981-7ffd345f29b8 1391->1393 1397 7ffd345f285b-7ffd345f28ff 1392->1397 1398 7ffd345f2858-7ffd345f2859 1392->1398 1405 7ffd345f29b9-7ffd345f29ce call 7ffd345f2a0e 1393->1405 1416 7ffd345f2905-7ffd345f294a 1397->1416 1398->1397 1421 7ffd345f294c-7ffd345f2963 1416->1421 1422 7ffd345f28f2-7ffd345f28ff 1416->1422 1423 7ffd345f296d-7ffd345f297f 1421->1423 1422->1416 1423->1405
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: H
                  • API String ID: 0-2852464175
                  • Opcode ID: c4b7f92ded3449ac8929f0d8c0ec6a1328c34f0b06b75b06aaa3ff4b37b390c9
                  • Instruction ID: 4357991db7d8f3137283e1f600ceab9015a1fb9a12f50adae10833617c1cfbe4
                  • Opcode Fuzzy Hash: c4b7f92ded3449ac8929f0d8c0ec6a1328c34f0b06b75b06aaa3ff4b37b390c9
                  • Instruction Fuzzy Hash: 44C12762B1DA854FE75AA77C447A2B97BD1EF96360B0805BEE08ED71E3CD1C68038341
                  Function 00007FFD345F25F9 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                  Download Yara Rule

                  Control-flow Graph

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: H
                  • API String ID: 0-2852464175
                  • Opcode ID: 785a52d50045d1d79d99d4b20adfe95453e0281bdf30492cf185d5ef9c610e99
                  • Instruction ID: 75e1e80cab7fb6980a47fc8a757657fedd5a6961569cc3848712540f07f5678b
                  • Opcode Fuzzy Hash: 785a52d50045d1d79d99d4b20adfe95453e0281bdf30492cf185d5ef9c610e99
                  • Instruction Fuzzy Hash: 92C11662B1D6C51FE75A977C487A2B97BD1EF56260B0805FEE08EDB1E3CD1C68028351
                  Function 00007FFD345F2A4D Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1588 7ffd345f2a4d-7ffd345f2a59 1589 7ffd345f2a5b 1588->1589 1590 7ffd345f2a5c-7ffd345f2a5f 1588->1590 1589->1590 1591 7ffd345f2a61-7ffd345f2a6d 1590->1591 1592 7ffd345f2a6f 1591->1592 1593 7ffd345f2a70-7ffd345f2a81 1591->1593 1592->1593 1594 7ffd345f2a83 1593->1594 1595 7ffd345f2a84-7ffd345f2a98 1593->1595 1594->1595 1595->1591 1597 7ffd345f2a9a-7ffd345f2b0c call 7ffd345f1a00 1595->1597 1602 7ffd345f2b11-7ffd345f2b13 1597->1602 1603 7ffd345f2b15-7ffd345f2b31 1602->1603 1604 7ffd345f2b32-7ffd345f2b39 1602->1604 1603->1604 1605 7ffd345f2b3b-7ffd345f2b3d 1604->1605 1606 7ffd345f2b5e 1604->1606 1609 7ffd345f2b96-7ffd345f2ba9 1605->1609 1610 7ffd345f2b3f-7ffd345f2b42 1605->1610 1607 7ffd345f2b60-7ffd345f2b66 1606->1607 1611 7ffd345f2bab-7ffd345f2c1c 1609->1611 1612 7ffd345f2b44-7ffd345f2b4b 1610->1612 1613 7ffd345f2b6e-7ffd345f2b95 1610->1613 1622 7ffd345f2c24-7ffd345f2c4b 1611->1622 1623 7ffd345f2c1e 1611->1623 1612->1611 1615 7ffd345f2b4d-7ffd345f2b5c 1612->1615 1613->1609 1615->1607 1623->1622
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: H
                  • API String ID: 0-2852464175
                  • Opcode ID: 35d85fcef10cabf9429a2400cb95869f45434748cfcfb58731dbda0602dc1dde
                  • Instruction ID: a557d0a7931dae7766d2fb4cf527fc00715c143e62d945d098566c026c7b2dbe
                  • Opcode Fuzzy Hash: 35d85fcef10cabf9429a2400cb95869f45434748cfcfb58731dbda0602dc1dde
                  • Instruction Fuzzy Hash: E971427190D6C99FDB1ADB7888656E97FE0EF53321F0801EFE089CB1A3DA295406C752
                  Function 00007FFD345F0608 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                  Download Yara Rule

                  Control-flow Graph

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: H
                  • API String ID: 0-2852464175
                  • Opcode ID: 1dfabe13da731aebf113ea44f2b38689399345c4ee2914995d1424c677541faa
                  • Instruction ID: 24dfde4efe22f9f372b0877034f5388cae5588dac93e5683f387f899c4dbb77e
                  • Opcode Fuzzy Hash: 1dfabe13da731aebf113ea44f2b38689399345c4ee2914995d1424c677541faa
                  • Instruction Fuzzy Hash: B631DC6065D9C96FD74AA7F848666E9BFE0DF47300B1805EDD04DEB1A3C91C6412C321
                  Function 00007FFD345F7ECD Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1639 7ffd345f7ecd-7ffd345f7f0a 1641 7ffd345f7f0c-7ffd345f7f18 1639->1641 1642 7ffd345f7f1a-7ffd345f7f20 1641->1642 1643 7ffd345f7f67-7ffd345f7f6c 1641->1643 1642->1643 1644 7ffd345f7f22-7ffd345f7f4b call 7ffd345f5328 1642->1644 1646 7ffd345f7f6d 1643->1646 1650 7ffd345f7f50-7ffd345f7f52 1644->1650 1648 7ffd345f7f6f-7ffd345f7f76 1646->1648 1651 7ffd345f7f54-7ffd345f7f57 1650->1651 1652 7ffd345f7f60-7ffd345f7f65 1650->1652 1651->1643 1653 7ffd345f7f59-7ffd345f7f5c 1651->1653 1652->1648 1653->1641 1654 7ffd345f7f5e 1653->1654 1654->1646
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: d
                  • API String ID: 0-2564639436
                  • Opcode ID: ab9ac0b4ce25e3f21328c20e66f6612d2a23e4c9ee97a3bb086903098b9828d0
                  • Instruction ID: f24fd33132dfe6c6c8117f692e4eca7e22736fa7d92bbdb553209624020d6ea5
                  • Opcode Fuzzy Hash: ab9ac0b4ce25e3f21328c20e66f6612d2a23e4c9ee97a3bb086903098b9828d0
                  • Instruction Fuzzy Hash: 5721E732E0C7598FEB569B6488652ED7BB0EF16310F01017BC649D36D2DB3C58449792
                  Function 00007FFD345F1CD1 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1655 7ffd345f1cd1-7ffd345f1d23 call 7ffd345f1900 1660 7ffd345f1d28-7ffd345f1d2e 1655->1660
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4
                  • API String ID: 0-4088798008
                  • Opcode ID: 1d88493961f8fc0ebc077b9503820ed58aacd2a3829006e66ba7f1ca4d8951bb
                  • Instruction ID: b4a38cf48970399b26a6dcfb319d17303187a42212fa8bee149e50295df400af
                  • Opcode Fuzzy Hash: 1d88493961f8fc0ebc077b9503820ed58aacd2a3829006e66ba7f1ca4d8951bb
                  • Instruction Fuzzy Hash: 21F0672284F3C84FE7078B7448611E57FB0AF03200B0D41DBE588CB4A7D61DAA08C363
                  Function 00007FFD345F71D6 Relevance: .3, Instructions: 329COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c49f7932833ee6486658d23541d6719a06888f1d8734603620c928ee8507e3b
                  • Instruction ID: 7f3e5b7eebc18074d077fa7ff988ebe0c3f94e1d411e4dd70595906e15ec4423
                  • Opcode Fuzzy Hash: 5c49f7932833ee6486658d23541d6719a06888f1d8734603620c928ee8507e3b
                  • Instruction Fuzzy Hash: 36B1C731A0CA4D8FEB69DF28D8557E93BD1FF55310F04426AE84DC7692CE78A845CB82
                  Function 00007FFD345F0330 Relevance: .3, Instructions: 292COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3595b642363e7f93085b56c5230a2ad90aff2841519139862b9365ae207da1ba
                  • Instruction ID: 3faee77153878892923b415710e3f0914ccae9f69753febd8927e1eeafbe0b8c
                  • Opcode Fuzzy Hash: 3595b642363e7f93085b56c5230a2ad90aff2841519139862b9365ae207da1ba
                  • Instruction Fuzzy Hash: 7B918C72E1EA4A5FE756E77848A66E67BD0EF02310F0402BAD04DC7592DF1C741B8792
                  Function 00007FFD345F89E5 Relevance: .3, Instructions: 283COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 84c1485520de70903b035839e83eda1fa53d8df7660decef9bd11a843def82da
                  • Instruction ID: 22761256c4579235c51858d35a2f003898fb9ee55f3a77cebf41ec7af0b449de
                  • Opcode Fuzzy Hash: 84c1485520de70903b035839e83eda1fa53d8df7660decef9bd11a843def82da
                  • Instruction Fuzzy Hash: 95813C32B1DA884FEB59D77898A56E97BD0EF46320F0401BFD04ED75A2CE2C6856C342
                  Function 00007FFD345F8A25 Relevance: .3, Instructions: 273COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f13f37c2ba0d557271cd010bb9c6164c123b54c82273fdff229523305b1f3919
                  • Instruction ID: 7705e0e5ba63b49179bd24844217fe5b08c08d8f160881778720c8cc381e076d
                  • Opcode Fuzzy Hash: f13f37c2ba0d557271cd010bb9c6164c123b54c82273fdff229523305b1f3919
                  • Instruction Fuzzy Hash: 23814B32B1DA884FE755D73898A66F97BE1EF46320F0401BBD04ED75A2CE2C6846C342
                  Function 00007FFD345F0198 Relevance: .3, Instructions: 259COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f1e933a270ef790713dfefd4d462e70bf051da15bfe2d0c34a4de848a114001b
                  • Instruction ID: 1d84aa215478e115fd9215ed20cea321f37e733ac919ef4d7bd01b2e41355e48
                  • Opcode Fuzzy Hash: f1e933a270ef790713dfefd4d462e70bf051da15bfe2d0c34a4de848a114001b
                  • Instruction Fuzzy Hash: 4B712623F5DA895FF756A77C98A62FD7BD1EF86221B0801BAD48DC3193DD1C68028352
                  Function 00007FFD345F8A70 Relevance: .2, Instructions: 250COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5e3c1cfbc44ce78c52d37adca9aff386d47379e4722f86e4a2557eecf35207c0
                  • Instruction ID: 51ddbbf5c174f802a6ad1a0d1bd255ba51f938710956942640c19f593c552e4e
                  • Opcode Fuzzy Hash: 5e3c1cfbc44ce78c52d37adca9aff386d47379e4722f86e4a2557eecf35207c0
                  • Instruction Fuzzy Hash: 9171FA31B19A4C4FEB59E77884A96BD77E1EF99310F0405BED04ED72A2DE2CAC428741
                  Function 00007FFD345F7FAD Relevance: .2, Instructions: 211COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 63782952bd0b77211f4cea5334217f52148d4a2bc0844901ca5b38997b140cb2
                  • Instruction ID: 4850ea4510b60e813bfb39f77720aacee9f61b357f87832a119ad949cc090f50
                  • Opcode Fuzzy Hash: 63782952bd0b77211f4cea5334217f52148d4a2bc0844901ca5b38997b140cb2
                  • Instruction Fuzzy Hash: 99518431E18A0C8FDB58EF58D8957EDBBF1FF59310F10426AD44DE3252CA38A8468B81
                  Function 00007FFD345F1234 Relevance: .2, Instructions: 200COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7111b6c417efa8edb709e65e4356df3940089f4b49e09aba08841e408dfdacf6
                  • Instruction ID: 6fd03ad71c4d9443d49065c6d27a549cf95ebca486ba3d41d8dbb156cc5c140f
                  • Opcode Fuzzy Hash: 7111b6c417efa8edb709e65e4356df3940089f4b49e09aba08841e408dfdacf6
                  • Instruction Fuzzy Hash: A451D861B1DA850FE75AEB7C08B51B97BD1EF9A310B0805BED0C9D75D3DD1C68068342
                  Function 00007FFD345F2348 Relevance: .2, Instructions: 199COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 382268dd251a9183e056d141319ed10d709edac2025307bfd688dbd1d01a0ce9
                  • Instruction ID: e16d4159fd5bd7561e7b1a41d1bef297e145dae3202acbf695d81834abab5526
                  • Opcode Fuzzy Hash: 382268dd251a9183e056d141319ed10d709edac2025307bfd688dbd1d01a0ce9
                  • Instruction Fuzzy Hash: 05613671E0D6868FE71B977848762A97FA0EF03310F1802FAE099C75D3CA6D6802C752
                  Function 00007FFD345F3D0C Relevance: .2, Instructions: 195COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9ed0096b9bcf6e91c27b64d35b5646e804f41aee074b5d3326d2512d138905b
                  • Instruction ID: 5ca825c4b11143c875282a265ac0937059a7c329e23c5c57003da8895c83ad84
                  • Opcode Fuzzy Hash: d9ed0096b9bcf6e91c27b64d35b5646e804f41aee074b5d3326d2512d138905b
                  • Instruction Fuzzy Hash: 7E518331D08A1C8FDB69DF58D855BE9BBF1FF59310F1082AAD04DE3252CE34A9858B81
                  Function 00007FFD345F2078 Relevance: .2, Instructions: 193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ded8778f179f3a5c986669d6a56b63b9c07254f941cb899329f2fa2e4c303d25
                  • Instruction ID: 6b978ba12a5aa8f9347d760e4e355e252b1f15ddc49cb76d9050236fecc6a13b
                  • Opcode Fuzzy Hash: ded8778f179f3a5c986669d6a56b63b9c07254f941cb899329f2fa2e4c303d25
                  • Instruction Fuzzy Hash: EC51E97055D6889FE75ADB78885ABA97FE0FF1B311F0400EFE04EC71A2C6699442CB52
                  Function 00007FFD345F0CB2 Relevance: .2, Instructions: 192COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aecd15ad78850018fb40a5d060b0b6356b6835097c29fc6b482242fba4d52c5e
                  • Instruction ID: 7b6319019bf7fef24b6179d775d916fd7e279708bf0d0eb69222c3877565226c
                  • Opcode Fuzzy Hash: aecd15ad78850018fb40a5d060b0b6356b6835097c29fc6b482242fba4d52c5e
                  • Instruction Fuzzy Hash: E151E222F1C9895FE75AE7B8446A3B96BD1EF5A311F0804BDD08DD71D3CD1C68028752
                  Function 00007FFD345F0358 Relevance: .2, Instructions: 184COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 283b0987eef1e78d7d2e6399b3b5613af3267c1282a6d68bd135bf02e00ffc42
                  • Instruction ID: cc8e298a25ac69d0941948f06bc91d4e86c7cd8f6a94f52bbe6339c2edb97827
                  • Opcode Fuzzy Hash: 283b0987eef1e78d7d2e6399b3b5613af3267c1282a6d68bd135bf02e00ffc42
                  • Instruction Fuzzy Hash: 63510A7055D6889FE759DB68885ABA97FE0FF1A311F0400FEE04ED72A2C6699442CB12
                  Function 00007FFD345F12A5 Relevance: .2, Instructions: 161COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8cbb89af02a7327e60167f788242274fb23e7fb6562d43e8c2b4c2bd38d4edde
                  • Instruction ID: 944ee5b5a62d6f5e8e8cd5c7445d5da8775320cec62eaaeca11ec476faf5c043
                  • Opcode Fuzzy Hash: 8cbb89af02a7327e60167f788242274fb23e7fb6562d43e8c2b4c2bd38d4edde
                  • Instruction Fuzzy Hash: 4941D662B1DA960FE76AE77C08B51B87BD1EF9A310B4805BED0C9C71D7DD1878068382
                  Function 00007FFD345F833D Relevance: .2, Instructions: 160COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 099de02a38b1897d166ce73ce7b1179f266e87c4dd2e499c910b8184f89aed8c
                  • Instruction ID: 4392566e1a43121a156574824a8e059158e21d993db6a49ce548ce760b38f22a
                  • Opcode Fuzzy Hash: 099de02a38b1897d166ce73ce7b1179f266e87c4dd2e499c910b8184f89aed8c
                  • Instruction Fuzzy Hash: 9941F932A1D98D4FEB86EBB848696FD7BE1EF4A310B0801BFD04DD7192DE2C58428751
                  Function 00007FFD345F0882 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 168753931ea38312efc8112924aaf2368f67a906b315268a147724933a02dccf
                  • Instruction ID: 3980516cfa2d95e9685a669223f2ad740f72ec04b705d14cd8ad7f46906494f9
                  • Opcode Fuzzy Hash: 168753931ea38312efc8112924aaf2368f67a906b315268a147724933a02dccf
                  • Instruction Fuzzy Hash: 00412822B5DA890FF7A6B77C546A6BA7BD1DF86221B0800FEE48DC3193DD5D58038351
                  Function 00007FFD345F02E8 Relevance: .1, Instructions: 146COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e4ae90d548bb0b3ff9a4a32d3cf95d81cb1f99a8f0150a0a74eae2b74023e1a8
                  • Instruction ID: 39de4c5c7e773fb8a1f543f8b629d40d380fafa63341fab07a9403f23a59e430
                  • Opcode Fuzzy Hash: e4ae90d548bb0b3ff9a4a32d3cf95d81cb1f99a8f0150a0a74eae2b74023e1a8
                  • Instruction Fuzzy Hash: AE41D271F0850A8FEB59EB6884B56B9B7A1EF45310F14017DE01ED76D2CE2DA842C742
                  Function 00007FFD345F8521 Relevance: .1, Instructions: 142COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5bf9d00ba2378fab0933fe60c28edb4a938e7feac1b658da85b6034a3b4b13e2
                  • Instruction ID: c4ad9c68b06e5158560acbc2c9c07e5f6cb3a0d50bc1fad5b93009a763b9d579
                  • Opcode Fuzzy Hash: 5bf9d00ba2378fab0933fe60c28edb4a938e7feac1b658da85b6034a3b4b13e2
                  • Instruction Fuzzy Hash: 09413A32F0DA469FE75AA77458A61E17BD0EF56310F0006BAD05AC7593DF2CB856C382
                  Function 00007FFD345F87EE Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b12e1967249a33f52a918b771b9b4a53c6cee681544f3e32ba51fb45531b3f79
                  • Instruction ID: 2defc9514895ac81a02708864403380ca87005ff620550a8486c951a272d2029
                  • Opcode Fuzzy Hash: b12e1967249a33f52a918b771b9b4a53c6cee681544f3e32ba51fb45531b3f79
                  • Instruction Fuzzy Hash: D741F631F1C9499FDB59EB7888666ADBBE1EF45300F4005BEE04ED3692CE2C68119742
                  Function 00007FFD345F00C0 Relevance: .1, Instructions: 139COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b73ed76b0f0e86a3e4d71ce83a10d6436c6938f46a70724a804412d2409b8aab
                  • Instruction ID: fd58ebebcfc4ed30037da0e4b1e61ab7ccd7ca56d65f39d7df16c5649796f7c9
                  • Opcode Fuzzy Hash: b73ed76b0f0e86a3e4d71ce83a10d6436c6938f46a70724a804412d2409b8aab
                  • Instruction Fuzzy Hash: 2931B521B1D9490FE7A8EB6C946A779B7C6EF9D311F0401BEE04ED3293DD68AC028341
                  Function 00007FFD345F0328 Relevance: .1, Instructions: 133COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3841c42cb8f0fe694260339461a214a547da3f097cb26235ff8c5a650c73dc7d
                  • Instruction ID: c472c3f0f5de0a203069eb0638d845929d053a86effe243dafd10941c580a45f
                  • Opcode Fuzzy Hash: 3841c42cb8f0fe694260339461a214a547da3f097cb26235ff8c5a650c73dc7d
                  • Instruction Fuzzy Hash: 3C411A71A5D9CCAFE746F7B848665EA7FE0DF0B311B4405EED48DCB1A2C92C68128711
                  Function 00007FFD345F1F3D Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b960ebe9eca826fb17893bce77e7a8afe7f85214638199fc37d7d41b22256bf6
                  • Instruction ID: b23a68b997be204aff4e0d2f5998f4f0e685e167b0599d5a3cb2189b3f08c7c4
                  • Opcode Fuzzy Hash: b960ebe9eca826fb17893bce77e7a8afe7f85214638199fc37d7d41b22256bf6
                  • Instruction Fuzzy Hash: 17410361E5D6C55FE35AD77848BA2A93FE0EF47211F0805FED088CB1A3D95C1406D362
                  Function 00007FFD345F81D9 Relevance: .1, Instructions: 126COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9221f74184e87b4b16a50909074aa5d9a287186d0708153de07c3b9b3f816302
                  • Instruction ID: 7216ef19631f5a24cd0477cf9787d7dc18b8002fab2420969734afee24a4d471
                  • Opcode Fuzzy Hash: 9221f74184e87b4b16a50909074aa5d9a287186d0708153de07c3b9b3f816302
                  • Instruction Fuzzy Hash: 7A411871A5DAC99FE347E77848BA5A97FF0EF07211B4801EED488CB1A3CA2D6451C712
                  Function 00007FFD345F0FDC Relevance: .1, Instructions: 123COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8cc0ed11b1633623773820456c1320b605d60d537be3d5a01936ffa1afd2f3e
                  • Instruction ID: 26fb6e31d2778822fd2012f368d60deb1e5e1612e4e655a77e9d793a18216c3b
                  • Opcode Fuzzy Hash: b8cc0ed11b1633623773820456c1320b605d60d537be3d5a01936ffa1afd2f3e
                  • Instruction Fuzzy Hash: 96410530B6D6855FE359EB78486A2B5BBD1EF5A301F0405FEE08ED72A3CD2C68418752
                  Function 00007FFD345F1113 Relevance: .1, Instructions: 115COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce057e5ffc64d79f230eef759ecfbdc53a3baa95be03232440fba1b86de4322d
                  • Instruction ID: 413e6109b5751e50da0ef1ad3b77627ba90998647fa4875567cf1462b622f7c6
                  • Opcode Fuzzy Hash: ce057e5ffc64d79f230eef759ecfbdc53a3baa95be03232440fba1b86de4322d
                  • Instruction Fuzzy Hash: F1312A61F2CB855FE359EB7844AA679BBD1EF59350F08057DD48DC3293DE2CA8015702
                  Function 00007FFD345F2D35 Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4dec89d409f6e64b0a8f738b3dc399a75b6bca00ec70b6049a4e8573b0f01e9
                  • Instruction ID: e38613d0a8c82a55231365ffe1b5b5e3f0a9d9de2fd7caa88d8dc6740d63e0b1
                  • Opcode Fuzzy Hash: b4dec89d409f6e64b0a8f738b3dc399a75b6bca00ec70b6049a4e8573b0f01e9
                  • Instruction Fuzzy Hash: B031396076D6C46FF346E3B8446A6A67FE19F1A301F0404EEE08DC71A3CD2C58428711
                  Function 00007FFD345F09F8 Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ac158b07b79ebeab6024b8e68845409ecb5dcbbeefd38e8bb5d20e2e1499397
                  • Instruction ID: f1b30406b924f93d05bfc523c47c79b5fa8f5892d7f4685fed42009a785655b9
                  • Opcode Fuzzy Hash: 8ac158b07b79ebeab6024b8e68845409ecb5dcbbeefd38e8bb5d20e2e1499397
                  • Instruction Fuzzy Hash: AE313A63E5858D6FE745D76C98B61FD7BE0EF86320F08017AD48ED71D2DD1C28029252
                  Function 00007FFD345F9781 Relevance: .1, Instructions: 102COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 31bfbc241ad1f6ba8bd17e312d750f5584d133e1ffa9e8dee93d40d47720783e
                  • Instruction ID: 99fadb2996c566f8440b292f21324a52fec9f1997641987f67e477889fb46fa3
                  • Opcode Fuzzy Hash: 31bfbc241ad1f6ba8bd17e312d750f5584d133e1ffa9e8dee93d40d47720783e
                  • Instruction Fuzzy Hash: B731813190D7488FDB15DFA8D885BEABBF0EB56320F0481AED049C3552D764A405CB51
                  Function 00007FFD345F0ADD Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 515b772778ad0f5efff2329db2908b105849cdf5c2d61c45fd662e05459a8bb0
                  • Instruction ID: ec512fb9ed0ccab0cedd3fb95882b9a0bad436de9a9588424cce635e750f424c
                  • Opcode Fuzzy Hash: 515b772778ad0f5efff2329db2908b105849cdf5c2d61c45fd662e05459a8bb0
                  • Instruction Fuzzy Hash: EB213A33A0D68D4FD765AB689899AF77FE4EF53325F0401AFE14CC70A1C9685915C342
                  Function 00007FFD345F0711 Relevance: .1, Instructions: 94COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: abd401b7d8b33eb1acebdbfc38c4bf012eab783d1b6891887448d88d23368634
                  • Instruction ID: d8dfd3de4266fcaba838ab3ef5ac140897ca5a8c14f46fd142c18f7f3e1288b3
                  • Opcode Fuzzy Hash: abd401b7d8b33eb1acebdbfc38c4bf012eab783d1b6891887448d88d23368634
                  • Instruction Fuzzy Hash: FB21F412F1DA864FE755B7B8486E7B977C6EF96B10F0442BAE40DC71A3CD1CA8418782
                  Function 00007FFD345F9561 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ee0842b9e7b2b5145805fb2eabc8d98faab64ccaba40481e43b902e5282a086
                  • Instruction ID: 2d41b5188ff577a0584065b1111edff2dbf67d76eaf17157e69cf1f04756fa30
                  • Opcode Fuzzy Hash: 8ee0842b9e7b2b5145805fb2eabc8d98faab64ccaba40481e43b902e5282a086
                  • Instruction Fuzzy Hash: 0A217A01B5DAC92BE71A63F808736EABF909F56310F5806FEE189D75E3C91C58068362
                  Function 00007FFD345F968D Relevance: .1, Instructions: 90COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2a4e431a6c02f42d747d7b8f75cdd05f12fc6057ea72b2cefeede3ecf28c4c93
                  • Instruction ID: a1dbc284c7e2593b9993453184dcae47695a9ee702c587fa621ebf21e322981e
                  • Opcode Fuzzy Hash: 2a4e431a6c02f42d747d7b8f75cdd05f12fc6057ea72b2cefeede3ecf28c4c93
                  • Instruction Fuzzy Hash: 21216B61A5EAC95FE747AB7408665FE7FE0DF87210B0401FAE08AC75A3CA0C45069362
                  Function 00007FFD345F0B7E Relevance: .1, Instructions: 90COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3bd29d203a1bca5c18784e67c9fe5a15d2c4393b7d1188bf1ed66f796a1fe750
                  • Instruction ID: 4e75ec88117a309913636a9a210c4189268d95622813cb25835c25b2a5a29086
                  • Opcode Fuzzy Hash: 3bd29d203a1bca5c18784e67c9fe5a15d2c4393b7d1188bf1ed66f796a1fe750
                  • Instruction Fuzzy Hash: 482162503AE5C86FDB0AA7BC486A6A57FD1CE4722134409EED0CEDB592C90C6407E365
                  Function 00007FFD345F0D9D Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 12caeaf143d669b5bb6d40312932ea2b010f1513f8cb05e84c238076b8b0b3fa
                  • Instruction ID: 609b7af3345dbc2d35ec7e7f90e9761d663550748d9c39a0db2ce188c39656a2
                  • Opcode Fuzzy Hash: 12caeaf143d669b5bb6d40312932ea2b010f1513f8cb05e84c238076b8b0b3fa
                  • Instruction Fuzzy Hash: E521D322F189851FE75AE7B888793A96BD1EF5A310F0804B9D08DC72E3CD1D68028752
                  Function 00007FFD345F0730 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 42a36bf8943ceef58649a8272964a4beb02d142dc30640cff52de98ba1f07ed1
                  • Instruction ID: ef2801afc42a6c6f68b6d0d7ba7247e6b3b4125231a55f5828a88b8c475e9e0c
                  • Opcode Fuzzy Hash: 42a36bf8943ceef58649a8272964a4beb02d142dc30640cff52de98ba1f07ed1
                  • Instruction Fuzzy Hash: EA110A12F19D064BF7A4B7BC447E77966C6EFA9B41F000279E40DC31A2DD1CAC414782
                  Function 00007FFD345F0368 Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 00f6a99b9ecd86e4f17b4b4c8c9e3e990cc6738a94c17ed4d05763421bd31a47
                  • Instruction ID: 93424325962858d3d3186013f2eaf7cb54a1f299f51801d48dce07f1d1c99b8a
                  • Opcode Fuzzy Hash: 00f6a99b9ecd86e4f17b4b4c8c9e3e990cc6738a94c17ed4d05763421bd31a47
                  • Instruction Fuzzy Hash: F921AC00B5DA892BE71A63F80837BEABF948F06310F5806BDE08D975D3CD1C68058352
                  Function 00007FFD345F7D20 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c3fb046b8b877fa3a59806511dec419be179c0553f457b54a54834b9c1bf51e9
                  • Instruction ID: 5220f0af24c511f36156acc0788d9232139f748d2c74ceba2d4103bd3a57649d
                  • Opcode Fuzzy Hash: c3fb046b8b877fa3a59806511dec419be179c0553f457b54a54834b9c1bf51e9
                  • Instruction Fuzzy Hash: 6F110A32E5C99D1FE756E36C18662E9BBE0EF47210B0406E7D588C3193DD1C28578392
                  Function 00007FFD345F0300 Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1670e267b30b09ad45a4ce284d69b63ec408ade0fd02a0d4234ba1eadf51ad9a
                  • Instruction ID: b8cb9add7885989ec2642b1fd5db34215c48a1a4d44a4309a4205256565eae91
                  • Opcode Fuzzy Hash: 1670e267b30b09ad45a4ce284d69b63ec408ade0fd02a0d4234ba1eadf51ad9a
                  • Instruction Fuzzy Hash: 1701F132A1895D1FEB51E36C546A6FEBBE0EF4A210B0405EBE58DC3152C91828428382
                  Function 00007FFD345F16F9 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b6f808c9fce8134b86fb1ae3e826820e5bd955c9d0d9b8e7abc1f707e4586867
                  • Instruction ID: a20e545b350a6e0d49260beb9f12efeffecf6b1f81248bf1e1567b782bf66543
                  • Opcode Fuzzy Hash: b6f808c9fce8134b86fb1ae3e826820e5bd955c9d0d9b8e7abc1f707e4586867
                  • Instruction Fuzzy Hash: E201F506D1D6C55FE75AA77C28B24B66FE0DF47250B0808EEE58CC70E3E80CA845D712
                  Function 00007FFD345F177D Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7a7feaf5e89ed1c15310314141f9f821170f4df47175c604539de91922bb9875
                  • Instruction ID: 51190ae0079309396cc8f09b770af12e114824725349a6c9679ca97cc4270b3d
                  • Opcode Fuzzy Hash: 7a7feaf5e89ed1c15310314141f9f821170f4df47175c604539de91922bb9875
                  • Instruction Fuzzy Hash: 9901DE32E09A5D4FEB65ABA8846A1FE3BF0EF15312F00017BD508C6192EE2869008782
                  Function 00007FFD345F1790 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d164a4ffe91a3ed8427990f1ef4755469dea8ffb84fd1633f22a1e289a16d516
                  • Instruction ID: edb9eae70b94dc0c9043fc08b58c109df608536370baf655f28f7f0d954e9ca4
                  • Opcode Fuzzy Hash: d164a4ffe91a3ed8427990f1ef4755469dea8ffb84fd1633f22a1e289a16d516
                  • Instruction Fuzzy Hash: 83F06432E0592D8AEB64BBA8985A1FE77E0EF59212F00013AE509D2296DE3969418781
                  Function 00007FFD345F1E99 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2b1caca487bd73ef9ad28865523bb9d5c795ae29ebf932a2da7c3e885435dc9e
                  • Instruction ID: ae8af6381f2df975ba3fda214b55ff181513eb046a6985b8889760215d1a721f
                  • Opcode Fuzzy Hash: 2b1caca487bd73ef9ad28865523bb9d5c795ae29ebf932a2da7c3e885435dc9e
                  • Instruction Fuzzy Hash: C001F216F5C1529BE35BA77848B25BC7BC29F87320B4809F8D14DC71E3CE2C68129263
                  Function 00007FFD345F8853 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 99ea400d9c8b269393202e7d601e185dbddae7e08c9c6726dbac5eb0ac8f22cb
                  • Instruction ID: 4a91f7871855dbdd548339770d9f7c628ea0c1319e11470dcb5c3122373ab63d
                  • Opcode Fuzzy Hash: 99ea400d9c8b269393202e7d601e185dbddae7e08c9c6726dbac5eb0ac8f22cb
                  • Instruction Fuzzy Hash: 3BF06D30B28A589FD749EB74D4612ADB7E2EF89200F5009B9E04EE7293CE396841C704
                  Function 00007FFD345F0B29 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0e4cbf5b0c9a50a5f7fa822c5f104d52f1c0456f40ebd04c140e3b6fffd0f32a
                  • Instruction ID: cee4afc30cc752b2d1190eb0dc47ae6c5ae59b074754262df286db162d37ee09
                  • Opcode Fuzzy Hash: 0e4cbf5b0c9a50a5f7fa822c5f104d52f1c0456f40ebd04c140e3b6fffd0f32a
                  • Instruction Fuzzy Hash: FEF0BE5284E3C81FD336AB3488AAAD63FA4AF53211F0500CBE088CB0A2C9184909C323
                  Function 00007FFD345F96FD Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 04d2be99e9bd4d268ba0fd82e49507221fa024258fbaa26e7bcbe055449a126e
                  • Instruction ID: 7ebecfca71c1cadf31050b64c2f8667064030c607ed6c959667b4e0a6b42a56b
                  • Opcode Fuzzy Hash: 04d2be99e9bd4d268ba0fd82e49507221fa024258fbaa26e7bcbe055449a126e
                  • Instruction Fuzzy Hash: 72E09B21F1CA199AE7557A5844252FD72C1EF49312F400134D54EC2683CE5C95515752
                  Function 00007FFD345F0EE9 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 36b7c45207361137f87adede38551f2ffccc0e169ee4e41b090a57917389f650
                  • Instruction ID: ec7f6a64e98fd0ea5b7f1c689611896e744e47aac51f44208f400d0704ef8cbf
                  • Opcode Fuzzy Hash: 36b7c45207361137f87adede38551f2ffccc0e169ee4e41b090a57917389f650
                  • Instruction Fuzzy Hash: ECE09221B2DA0A8FE69EB3B400762FD7791EF46300B5408BDD04FC71D3CD2CA8029216
                  Function 00007FFD345F0F97 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 544161a1f552b20d01912f77cc9ca49ac55937acbf18bb2bf713fb7dd0d7821d
                  • Instruction ID: aab4bbc53f85f4dadc2b6a9f34172053ebca5cc38f64c2e4c5250a0a7faa1187
                  • Opcode Fuzzy Hash: 544161a1f552b20d01912f77cc9ca49ac55937acbf18bb2bf713fb7dd0d7821d
                  • Instruction Fuzzy Hash: 7CE09A20B69A4A4FE69EB3B400762FE7791EF8A300B5008BCD04FC71D3CE2CA8028215
                  Function 00007FFD345F0800 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c13b8bf7941cf042ab85af712e87ac44180729e9137b2a743ddb4db17e57c2d
                  • Instruction ID: 033e697bd8c699cc86952a669d5ed19513e0680da57fe12f78c642991d26c7cb
                  • Opcode Fuzzy Hash: 9c13b8bf7941cf042ab85af712e87ac44180729e9137b2a743ddb4db17e57c2d
                  • Instruction Fuzzy Hash: A1E04F22F1891D4FEF40ABEC94552FCB3D2EF48211F100076D20DE3292CE2898018391
                  Function 00007FFD345F1202 Relevance: .0, Instructions: 19COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67b12defe336d7f9f2f60dadafa73ddf4b92b7dfee6488b697043315598020a9
                  • Instruction ID: cdcfb07136e9b289f98cd62836c2dd7b6d642a4e58d9175533071d83bd903af3
                  • Opcode Fuzzy Hash: 67b12defe336d7f9f2f60dadafa73ddf4b92b7dfee6488b697043315598020a9
                  • Instruction Fuzzy Hash: 9EE0C20275DB812FD359E7B80C671ADEED1AF59240B0845BDE089C3283C90C58054602
                  Function 00007FFD345F2FE3 Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d7c24a9a3424516f2320120a1100334a4f88ff3552a6bc6c0e0e20a7fed921a9
                  • Instruction ID: b074838e8fa44c561932cd497dc46fd65210543e0470d2f8d6e0f01f604d3727
                  • Opcode Fuzzy Hash: d7c24a9a3424516f2320120a1100334a4f88ff3552a6bc6c0e0e20a7fed921a9
                  • Instruction Fuzzy Hash: 7ED0C902B5990E56F99877EC74623FDA186CFCA311FA84531E409C66EBCC8DAC821153
                  Function 00007FFD345F2EB4 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 05864ccb12275783f20250eff11fd8068cca8e4737d3022fb221e6d8a662bab9
                  • Instruction ID: 68c25c35425feadff3642d6f8228fa012be96b3a986645ca814095faf2735264
                  • Opcode Fuzzy Hash: 05864ccb12275783f20250eff11fd8068cca8e4737d3022fb221e6d8a662bab9
                  • Instruction Fuzzy Hash: 90D05E01B1D9802BEA4973F814237AB6A958F46300F1405BAA04C975E3CC0C98018222
                  Function 00007FFD345F2E85 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9252babef7b5196b7727294a277e1f6d4463060dd00a78ba9d70f4d714c3dbcc
                  • Instruction ID: 8e8297d7ec70dfe53b0260b33664a974119d653390a9f3faf537a7ac4d73d5af
                  • Opcode Fuzzy Hash: 9252babef7b5196b7727294a277e1f6d4463060dd00a78ba9d70f4d714c3dbcc
                  • Instruction Fuzzy Hash: 05D05E00B1D5805BF60973F81823BEBAA958F46300F1402B9E04C975E3CC0C98018222
                  Function 00007FFD345F2F56 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f69731f5c0238d3dd0ebbc020a8cc8e3e5d2d96856ded7cc2c4c8cb4f26651ab
                  • Instruction ID: 16796bdc1db4b2d477831e9657366843f6ee5dac3fe00bc476fc9a525c213865
                  • Opcode Fuzzy Hash: f69731f5c0238d3dd0ebbc020a8cc8e3e5d2d96856ded7cc2c4c8cb4f26651ab
                  • Instruction Fuzzy Hash: F7D05E00B1D5852BFA5973F818236EA6B958F56300F1401B9A048975E3CC0C98029222
                  Function 00007FFD345F1EDD Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4456af0ccc33fcf879c019f5391897c21d7dfbeb6babf2a4f58fb19c6d80b0b1
                  • Instruction ID: cf7cbbed8c8912ca57ecb0565e70eea00a03077b17299d4a94859dad5e1f994f
                  • Opcode Fuzzy Hash: 4456af0ccc33fcf879c019f5391897c21d7dfbeb6babf2a4f58fb19c6d80b0b1
                  • Instruction Fuzzy Hash: FED0A761D6D092EFD307975488976B43FD09F0B250F0C08EDC149C70A2C90D1417F312
                  Function 00007FFD345F2FB4 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 14061302f3982d8a77421fba2327d36c6c19ce1212a65e1045e9497b0737e0c4
                  • Instruction ID: 1646114dba9b05f1df7fc2c42d38615d3b46567e5cf4d9d2340b69a26fccf918
                  • Opcode Fuzzy Hash: 14061302f3982d8a77421fba2327d36c6c19ce1212a65e1045e9497b0737e0c4
                  • Instruction Fuzzy Hash: BFD05E00B6C5845BEA4973FC18236EAAA958F86300F1401B9A048975E3CC0C98019222
                  Function 00007FFD345F2F85 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b87e29db6af742eae66c5134658ba37dabd3e7cb73c4bbebcf116b8eedd670b5
                  • Instruction ID: 91b8c5379eb4f7da363848b4591a1e96b2b6d7d53b50392c1bd91ad49b11ce96
                  • Opcode Fuzzy Hash: b87e29db6af742eae66c5134658ba37dabd3e7cb73c4bbebcf116b8eedd670b5
                  • Instruction Fuzzy Hash: C0D05E00B2C9845BEA0973F818236EBAB958F86300F1401B9A048975E3CC0C98019222
                  Function 00007FFD345F036D Relevance: .0, Instructions: 10COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 024547abe7428826d23044fa3e0a56191a6fc1f487a39c17c14200e6b663df60
                  • Instruction ID: 5842063c7f8c0a18bfb42f279eec297cf4a94d65e268b9ae7ee45aa69d73dde6
                  • Opcode Fuzzy Hash: 024547abe7428826d23044fa3e0a56191a6fc1f487a39c17c14200e6b663df60
                  • Instruction Fuzzy Hash: 57B09202F6A84A819506327908A20A8BB20BF8B624FC801B0D98CC0483A94D259AA683
                  Function 00007FFD345F1E60 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4595777564.00007FFD345F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd345f0000_crypted_UClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 74f847216bfb72e33ff446188db4b92502582ed09fc86588f6e57660c9b03ad8
                  • Instruction ID: 3b70709c631b4e7cffdc2efbae1ac42d5954147e4dee438e6c17e42a981dbc75
                  • Opcode Fuzzy Hash: 74f847216bfb72e33ff446188db4b92502582ed09fc86588f6e57660c9b03ad8
                  • Instruction Fuzzy Hash: E1A00216D9780A41980A36FA1DD74A474505F8A514FC91564E90CC4686E98E15E91293