Windows Analysis Report
#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe

Overview

General Information

Sample name: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe
renamed because original name is a hash value
Original sample name: _uninstc.exe
Analysis ID: 1520462
MD5: 50c9853e37a18a5b5c2f5857ea1a5ab1
SHA1: 079079af20c8d68e7ac999ee28961eee9b61f4c9
SHA256: 31130b5f53f752897775b5a39ea3936e7afeff09dd3e381b15f1800efb68f2fb
Tags: exesilverfoxwinosuser-vm001cn
Infos:

Detection

Score: 27
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contain functionality to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Potential time zone aware malware
Program does not show much activity (idle)

Classification

Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90DE2B8 FindFirstFileExW, 0_2_00007FF6F90DE2B8
Contains functionality to call native functions
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9071A40 GetCurrentProcess,NtQueryObject,NtQueryObject,RtlNtStatusToDosError,_CxxThrowException,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_CxxThrowException, 0_2_00007FF6F9071A40
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9071F6D GetCurrentProcess,NtQueryObject,NtQueryObject, 0_2_00007FF6F9071F6D
Detected potential crypto function
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F907BAC0 0_2_00007FF6F907BAC0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9084CE0 0_2_00007FF6F9084CE0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90C8064 0_2_00007FF6F90C8064
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F909F144 0_2_00007FF6F909F144
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D9580 0_2_00007FF6F90D9580
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9093876 0_2_00007FF6F9093876
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90C5A48 0_2_00007FF6F90C5A48
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9090A40 0_2_00007FF6F9090A40
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F908FA78 0_2_00007FF6F908FA78
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90E7AA4 0_2_00007FF6F90E7AA4
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D0AE4 0_2_00007FF6F90D0AE4
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D7AE0 0_2_00007FF6F90D7AE0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90A0B14 0_2_00007FF6F90A0B14
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90CB990 0_2_00007FF6F90CB990
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D0980 0_2_00007FF6F90D0980
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90829B0 0_2_00007FF6F90829B0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90959BC 0_2_00007FF6F90959BC
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F908C9FC 0_2_00007FF6F908C9FC
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90C8C88 0_2_00007FF6F90C8C88
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90DFC84 0_2_00007FF6F90DFC84
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90C5CE0 0_2_00007FF6F90C5CE0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90DAB3C 0_2_00007FF6F90DAB3C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F908DB64 0_2_00007FF6F908DB64
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9092B78 0_2_00007FF6F9092B78
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9099C1C 0_2_00007FF6F9099C1C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90CBEC4 0_2_00007FF6F90CBEC4
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9075EC0 0_2_00007FF6F9075EC0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F909DD40 0_2_00007FF6F909DD40
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9094D38 0_2_00007FF6F9094D38
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90CDD60 0_2_00007FF6F90CDD60
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D4DB8 0_2_00007FF6F90D4DB8
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D2070 0_2_00007FF6F90D2070
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F909B064 0_2_00007FF6F909B064
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90DE088 0_2_00007FF6F90DE088
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D509C 0_2_00007FF6F90D509C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90E10C8 0_2_00007FF6F90E10C8
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F909A0F4 0_2_00007FF6F909A0F4
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D0F7C 0_2_00007FF6F90D0F7C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D7020 0_2_00007FF6F90D7020
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D42B4 0_2_00007FF6F90D42B4
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F908D2B0 0_2_00007FF6F908D2B0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90CE44C 0_2_00007FF6F90CE44C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F907A490 0_2_00007FF6F907A490
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9086520 0_2_00007FF6F9086520
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90C938C 0_2_00007FF6F90C938C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F908E37C 0_2_00007FF6F908E37C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90843AC 0_2_00007FF6F90843AC
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90AE3C0 0_2_00007FF6F90AE3C0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90C83FC 0_2_00007FF6F90C83FC
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9078690 0_2_00007FF6F9078690
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F908367C 0_2_00007FF6F908367C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D2728 0_2_00007FF6F90D2728
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F909A72C 0_2_00007FF6F909A72C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9094554 0_2_00007FF6F9094554
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D2588 0_2_00007FF6F90D2588
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D28C8 0_2_00007FF6F90D28C8
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90E2908 0_2_00007FF6F90E2908
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F909F918 0_2_00007FF6F909F918
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90A1788 0_2_00007FF6F90A1788
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: String function: 00007FF6F90D9BEC appears 32 times
Source: classification engine Classification label: sus27.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9074350 FormatMessageA,LocalFree,std::ios_base::_Ios_base_dtor,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLastError,_CxxThrowException, 0_2_00007FF6F9074350
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F907BAC0 LoadLibraryW,GetProcAddress,IsDebuggerPresent,FreeLibrary,GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,LockResource,CreateToolhelp32Snapshot,Process32First,CloseHandle,LoadLibraryA,GetProcAddress,allocator,allocator,_CxxThrowException,_invalid_parameter_noinfo_noreturn,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 0_2_00007FF6F907BAC0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F907BAC0 LoadLibraryW,GetProcAddress,IsDebuggerPresent,FreeLibrary,GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,LockResource,CreateToolhelp32Snapshot,Process32First,CloseHandle,LoadLibraryA,GetProcAddress,allocator,allocator,_CxxThrowException,_invalid_parameter_noinfo_noreturn,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 0_2_00007FF6F907BAC0
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Section loaded: wintypes.dll Jump to behavior
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F907BAC0 LoadLibraryW,GetProcAddress,IsDebuggerPresent,FreeLibrary,GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,LockResource,CreateToolhelp32Snapshot,Process32First,CloseHandle,LoadLibraryA,GetProcAddress,allocator,allocator,_CxxThrowException,_invalid_parameter_noinfo_noreturn,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 0_2_00007FF6F907BAC0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90B5C18 GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException, 0_2_00007FF6F90B5C18

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: VBoxMouse.sys VBoxGuest.sys VBoxSF.sys 0_2_00007FF6F90789A0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: qemu qemu vbox vbox vbox 0_2_00007FF6F9079680
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe API coverage: 5.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe TID: 5976 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe TID: 5976 Thread sleep time: -50000s >= -30000s Jump to behavior
Potential time zone aware malware
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90DE2B8 FindFirstFileExW, 0_2_00007FF6F90DE2B8
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Thread delayed: delay time: 50000 Jump to behavior
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Binary or memory string: vmci.sys
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Binary or memory string: vmhgfs.sys
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Binary or memory string: VBoxMouse.sys
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Binary or memory string: VBoxSF.sys
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Binary or memory string: VBoxGuest.sys
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Binary or memory string: vmmouse.sys
Source: #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Binary or memory string: vmmouse.sysvmhgfs.sysvm3dmp.sysvmu**mouse.sysvmx_svga.sysvmxnet.sysvmci.sysVBoxMouse.sysVBoxGuest.sysVBoxSF.sysFailed to find shellcode resourceFailed to load shellcode resourceShellcode resource size is 0Failed to lock shellcode resourceFailed to find lsass.exe processFailed to get RtlAdjustPrivilege addressGET
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F907BAC0 LoadLibraryW,GetProcAddress,IsDebuggerPresent,FreeLibrary,GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,LockResource,CreateToolhelp32Snapshot,Process32First,CloseHandle,LoadLibraryA,GetProcAddress,allocator,allocator,_CxxThrowException,_invalid_parameter_noinfo_noreturn,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 0_2_00007FF6F907BAC0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F907BAC0 LoadLibraryW,GetProcAddress,IsDebuggerPresent,FreeLibrary,GetModuleHandleA,FindResourceA,LoadResource,SizeofResource,LockResource,CreateToolhelp32Snapshot,Process32First,CloseHandle,LoadLibraryA,GetProcAddress,allocator,allocator,_CxxThrowException,_invalid_parameter_noinfo_noreturn,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 0_2_00007FF6F907BAC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90DF708 GetProcessHeap, 0_2_00007FF6F90DF708
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90A3E20 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6F90A3E20
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90A4004 SetUnhandledExceptionFilter, 0_2_00007FF6F90A4004
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90C4158 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6F90C4158
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90A3694 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6F90A3694
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90DDBA0 cpuid 0_2_00007FF6F90DDBA0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW, 0_2_00007FF6F90A2628
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: __crtGetLocaleInfoEx, 0_2_00007FF6F90A2884
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: EnumSystemLocalesW, 0_2_00007FF6F90E1A38
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: EnumSystemLocalesW, 0_2_00007FF6F90E1B08
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: EnumSystemLocalesW, 0_2_00007FF6F90D9B54
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF6F90E1BA4
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF6F90E1F30
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: GetLocaleInfoW, 0_2_00007FF6F90E1DE4
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF6F90E210C
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: GetLocaleInfoW, 0_2_00007FF6F90E1FE0
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: try_get_function,GetLocaleInfoW, 0_2_00007FF6F90DA1BC
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW, 0_2_00007FF6F90E1720
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F9086BAC GetSystemTimeAsFileTime, 0_2_00007FF6F9086BAC
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90D9580 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00007FF6F90D9580
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90AB290 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,_CxxThrowException,_CxxThrowException, 0_2_00007FF6F90AB290
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90B94C8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_00007FF6F90B94C8
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe Code function: 0_2_00007FF6F90BA4F4 Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind, 0_2_00007FF6F90BA4F4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1520462 Sample: #U8f6f#U4ef6#U5b89#U88c5#U7... Startdate: 27/09/2024 Architecture: WINDOWS Score: 27 4 #U8f6f#U4ef6#U5b89#U88c5#U7a0b#U5e8f_uninstc.exe 2->4         started        signatures3 7 Contain functionality to detect virtual machines 4->7
No contacted IP infos