Loading ...

Play interactive tourEdit tour

Analysis Report USD67,884.08_Payment_Advise_9083008849.exe

Overview

General Information

Sample Name:USD67,884.08_Payment_Advise_9083008849.exe
Analysis ID:321416
MD5:947edeb169369ac67c5448cc2f8104a3
SHA1:5d2181f018ab4b8afd6b193e4651233b44ad7d62
SHA256:3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
Tags:AgentTeslaexeHSBC

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Uclldrv.exe (PID: 6756 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe' MD5: 947EDEB169369AC67C5448CC2F8104A3)
    • Uclldrv.exe (PID: 6868 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe MD5: 947EDEB169369AC67C5448CC2F8104A3)
  • Uclldrv.exe (PID: 5900 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe' MD5: 947EDEB169369AC67C5448CC2F8104A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\llcU.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\llcU.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\llcU.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.Uclldrv.exe.25f0000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              18.2.Uclldrv.exe.25f0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  18.2.Uclldrv.exe.4f00000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeReversingLabs: Detection: 22%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: USD67,884.08_Payment_Advise_9083008849.exeVirustotal: Detection: 40%Perma Link
                      Source: USD67,884.08_Payment_Advise_9083008849.exeReversingLabs: Detection: 22%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: USD67,884.08_Payment_Advise_9083008849.exeJoe Sandbox ML: detected
                      Source: 13.2.Uclldrv.exe.2ab0000.5.unpackAvira: Label: TR/Hijacker.Gen
                      Source: 13.2.Uclldrv.exe.45e0000.6.unpackAvira: Label: TR/Dropper.Gen
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor edx, edx0_3_03ED6A44
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax0_3_03EC9170
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then mov eax, dword ptr [ebx]0_3_03EC8F90
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax0_3_03ED6E58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax0_3_03ED6E58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor edx, edx0_3_03EC8D5C
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then mov eax, dword ptr [ebx]0_3_03ED6C78
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor edx, edx0_3_03EBFAAC
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax0_3_03EBFEC0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax0_3_03EBFEC0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then mov eax, dword ptr [ebx]0_3_03EBFCE0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx13_3_03F26A44
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax13_3_03F19170
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]13_3_03F18F90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax13_3_03F26E58
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax13_3_03F26E58
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx13_3_03F18D5C
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]13_3_03F26C78
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx13_3_03F0FAAC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax13_3_03F0FEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax13_3_03F0FEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]13_3_03F0FCE0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]16_3_03F48F90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx16_3_03F48D5C
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax16_3_03F49506
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]16_3_03F56C78
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx16_3_03F3FAAC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax16_3_03F40256
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]16_3_03F3FCE0
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                      Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: unknownDNS traffic detected: queries for: discord.com
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.co
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-adm0
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/t
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twent
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-se
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-sevent8
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/7009$
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll0848
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374H
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8
                      Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: http://hHeaxI.com
                      Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/J
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: Yara matchFile source: Process Memory Space: Uclldrv.exe PID: 6756, type: MEMORY

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: USD67,884.08_Payment_Advise_9083008849.exe
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECBAC40_3_03ECBAC4
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECBA440_3_03ECBA44
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECBA420_3_03ECBA42
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC91700_3_03EC9170
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC99310_3_03EC9931
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6E580_3_03ED6E58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6E580_3_03ED6E58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EBFEC00_3_03EBFEC0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EBFEC00_3_03EBFEC0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00408C605_2_00408C60
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040DC115_2_0040DC11
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00407C3F5_2_00407C3F
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00418CCC5_2_00418CCC
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00406CA05_2_00406CA0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004028B05_2_004028B0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0041A4BE5_2_0041A4BE
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004182445_2_00418244
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004016505_2_00401650
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00402F205_2_00402F20
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004193C45_2_004193C4
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004187885_2_00418788
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00402F895_2_00402F89
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00402B905_2_00402B90
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004073A05_2_004073A0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_022A0C605_2_022A0C60
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_022A0C505_2_022A0C50
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_04A800065_2_04A80006
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_04A800405_2_04A80040
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A82D585_2_05A82D58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A84C705_2_05A84C70
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A821405_2_05A82140
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A824885_2_05A82488
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1BAC413_3_03F1BAC4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1BA4213_3_03F1BA42
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1BA4413_3_03F1BA44
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1917013_3_03F19170
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1993113_3_03F19931
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F26E5813_3_03F26E58
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F26E5813_3_03F26E58
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F0FEC013_3_03F0FEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F0FEC013_3_03F0FEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F4BAC416_3_03F4BAC4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F4BA4416_3_03F4BA44
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F4BA4216_3_03F4BA42
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F4993116_3_03F49931
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00408C6018_2_00408C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0040DC1118_2_0040DC11
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00407C3F18_2_00407C3F
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00418CCC18_2_00418CCC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00406CA018_2_00406CA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004028B018_2_004028B0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0041A4BE18_2_0041A4BE
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0041824418_2_00418244
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0040165018_2_00401650
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00402F2018_2_00402F20
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004193C418_2_004193C4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0041878818_2_00418788
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00402F8918_2_00402F89
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00402B9018_2_00402B90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004073A018_2_004073A0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_02340C6018_2_02340C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_02340C5018_2_02340C50
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_04F9004018_2_04F90040
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_04F9003A18_2_04F9003A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_04F9928318_2_04F99283
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A82FA018_2_05A82FA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A8238818_2_05A82388
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A84EB018_2_05A84EB0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A826D018_2_05A826D0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00408C6018_1_00408C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_0040DC1118_1_0040DC11
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00407C3F18_1_00407C3F
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00418CCC18_1_00418CCC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00406CA018_1_00406CA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_004028B018_1_004028B0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_0041A4BE18_1_0041A4BE
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_0041824418_1_00418244
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_0040165018_1_00401650
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00402F2018_1_00402F20
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_004193C418_1_004193C4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_0041878818_1_00418788
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00402F8918_1_00402F89
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00402B9018_1_00402B90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_004073A018_1_004073A0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: String function: 0040D606 appears 48 times
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: String function: 0040E1D8 appears 88 times
                      Source: USD67,884.08_Payment_Advise_9083008849.exeStatic PE information: invalid certificate
                      Source: USD67,884.08_Payment_Advise_9083008849.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: Uclldrv.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameygwxuBNDsCnleMFrPILFrkECdmuYRRQwMZPAraQ.exe4 vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468624139.0000000002490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477770135.0000000005620000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468661954.00000000024A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\040904B0\\OriginalFilename vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeSection loaded: mscorjit.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeSection loaded: mscorjit.dllJump to behavior
                      Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@7/5@6/4
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4Jump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCommand line argument: 08A18_2_00413780
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCommand line argument: 08A18_2_00413780
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCommand line argument: 08A18_1_00413780
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: USD67,884.08_Payment_Advise_9083008849.exeVirustotal: Detection: 40%
                      Source: USD67,884.08_Payment_Advise_9083008849.exeReversingLabs: Detection: 22%
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe 'C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: Binary string: _.pdb source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeUnpacked PE file: 18.2.Uclldrv.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeUnpacked PE file: 18.2.Uclldrv.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2BC8 push 0040547Ch; ret 0_3_03ED2BEC
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED63C4 push 00408CBBh; ret 0_3_03ED642B
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2BC6 push 0040547Ch; ret 0_3_03ED2BEC
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED63C2 push 00408CBBh; ret 0_3_03ED642B
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6B9C push ecx; mov dword ptr [esp], eax0_3_03ED6B9F
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6244 push 00408C48h; ret 0_3_03ED63B8
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4A28 push 00404FE9h; ret 0_3_03EC4A71
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2A28 push 004052DCh; ret 0_3_03ED2A4C
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED29EE push 004052A4h; ret 0_3_03ED2A14
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED29F0 push 004052A4h; ret 0_3_03ED2A14
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECA1D8 push 14004056h; retn 0040h0_3_03ECA1DD
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC1AC push 0040A2B5h; ret 0_3_03ECC215
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC5198 push 00405734h; ret 0_3_03EC51BC
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC124 push 0040A1F2h; ret 0_3_03ECC152
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC122 push 0040A1F2h; ret 0_3_03ECC152
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC87CC push 00408D60h; ret 0_3_03EC87E8
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC87C4 push 00408D60h; ret 0_3_03EC87E8
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC87C2 push 00408D60h; ret 0_3_03EC87E8
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC878C push 00408D20h; ret 0_3_03EC87A8
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC8784 push 00408D20h; ret 0_3_03EC87A8
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC8782 push 00408D20h; ret 0_3_03EC87A8
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC5F60 push ecx; mov dword ptr [esp], eax0_3_03EC5F61
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4F18 push 00405734h; ret 0_3_03EC51BC
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2710 push 00404FE9h; ret 0_3_03ED2759
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4EE8 push 0040547Ch; ret 0_3_03EC4F04
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4EE0 push 0040547Ch; ret 0_3_03EC4F04
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC86DC push 00408CBBh; ret 0_3_03EC8743
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4EDE push 0040547Ch; ret 0_3_03EC4F04
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC86DA push 00408CBBh; ret 0_3_03EC8743
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC6A0 push 14004056h; retn 0040h0_3_03ECC6A5
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC8EB4 push ecx; mov dword ptr [esp], eax0_3_03EC8EB7
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeJump to dropped file
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UcllJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UcllJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWindow / User API: threadDelayed 661Jump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWindow / User API: threadDelayed 471Jump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 6140Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 6140Thread sleep count: 661 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -59500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -59312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -58906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -58406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -58218s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -57812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -57312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -56906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -56718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -56218s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -55812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -55594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -54906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -54718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53218s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -52718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -52312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -51406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -51218s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -51000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -50094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -49718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -49218s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -49000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -48812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -48594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -47500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -46812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -46594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -46218s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2408Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2416Thread sleep count: 471 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2408Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeLast function: Thread delayed
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CE09
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040ADB0 GetProcessHeap,HeapFree,5_2_0040ADB0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CE09
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040E61C
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00416F6A
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004123F1 SetUnhandledExceptionFilter,5_2_004123F1
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_0040CE09
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_0040E61C
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00416F6A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004123F1 SetUnhandledExceptionFilter,18_2_004123F1
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      bar