Windows Analysis Report
XWe8H4gRPb.exe

Overview

General Information

Sample name:	XWe8H4gRPb.exe renamed because original name is a hash value
Original sample name:	7693e44d877f22b963348c44f6a20110.exe
Analysis ID:	1543564
MD5:	7693e44d877f22b963348c44f6a20110
SHA1:	95bb436cedfa9f132c7bf62e4590c51190d66ecf
SHA256:	c652c39afdf675042c1ebc539169db5e198276463ee8b6d16380d45374884110
Tags:	32exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: uebki.one	Virustotal: Detection: 15%	Perma Link
Source: https://uebki.one/api/not_working.php?0=	Virustotal: Detection: 9%	Perma Link
Source: https://uebki.one/api/zapret_readyconfigs.txt	Virustotal: Detection: 12%	Perma Link
Source: https://uebki.one/api/InfoAboutVPN.php	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: XWe8H4gRPb.exe	ReversingLabs: Detection: 18%
Source: XWe8H4gRPb.exe	Virustotal: Detection: 10%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: XWe8H4gRPb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\swordily\source\repos\GoodbyeDPIConfigs\GoodbyeDPIConfigs\obj\Release\GoodbyeDPIConfigs.pdb source: XWe8H4gRPb.exe

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /version.txt HTTP/1.1User-Agent: GoodbyeDPI Configs 1.5.6Host: uebki.oneConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: uebki.one

Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uebki.one
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uebki.oned
Source: XWe8H4gRPb.exe	String found in binary or memory: https://cdn.uebki.one/Coprer.conf
Source: XWe8H4gRPb.exe	String found in binary or memory: https://cdn.uebki.one/awg.exe?https://cdn.uebki.one/magic.exeAhttps://cdn.uebki.one/wintun.dll
Source: XWe8H4gRPb.exe	String found in binary or memory: https://rr1---sn-4g5lznek.googlevideo.com
Source: XWe8H4gRPb.exe, 00000000.00000002.3343230059.0000000006F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rr1---sn-4g5lznek.googlevideo.com4
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uebki.one
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/GoodbyeDPIConfigs.exe
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/antizapret/antizapret.zip
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/antizapret/domains-export.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/InfoAboutVPN.php
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/SendConfigRequest.php?0=0
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/SendConfigRequest.php?0=;.
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/gdpi_strateg.txt-_strategyCurlExtraKeys%_strategyExtraKeys
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/not_working.php?0=
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/zapret_readyconfigs.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/zapret_strateg.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/goodbyedpi_configs/
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/version.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one9https://uebki.one/donate.php

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD4E40	0_2_02DD4E40
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD9498	0_2_02DD9498
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD948B	0_2_02DD948B
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07133704	0_2_07133704
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_0713AD98	0_2_0713AD98
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07135652	0_2_07135652
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07133454	0_2_07133454
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_0713AD8A	0_2_0713AD8A
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072DD5F0	0_2_072DD5F0
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072D22C4	0_2_072D22C4
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08952908	0_2_08952908
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08954ED1	0_2_08954ED1
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08951E50	0_2_08951E50
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_089528F8	0_2_089528F8
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08951E50	0_2_08951E50
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08954ED1	0_2_08954ED1

Sample file is different than original file name gathered from version info

Source: XWe8H4gRPb.exe, 00000000.00000000.2098737315.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGoodbyeDPIConfigs.exe" vs XWe8H4gRPb.exe
Source: XWe8H4gRPb.exe, 00000000.00000002.3340281508.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs XWe8H4gRPb.exe
Source: XWe8H4gRPb.exe	Binary or memory string: OriginalFilenameGoodbyeDPIConfigs.exe" vs XWe8H4gRPb.exe

Source: classification engine

Classification label: mal60.winEXE@6/0@1/1

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03

Source: XWe8H4gRPb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XWe8H4gRPb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XWe8H4gRPb.exe	ReversingLabs: Detection: 18%
Source: XWe8H4gRPb.exe	Virustotal: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\XWe8H4gRPb.exe "C:\Users\user\Desktop\XWe8H4gRPb.exe"
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dwrite.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: XWe8H4gRPb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XWe8H4gRPb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: XWe8H4gRPb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\swordily\source\repos\GoodbyeDPIConfigs\GoodbyeDPIConfigs\obj\Release\GoodbyeDPIConfigs.pdb source: XWe8H4gRPb.exe

Binary contains a suspicious time stamp

Source: XWe8H4gRPb.exe

Static PE information: 0x83F6D5B1 [Mon Feb 27 21:44:17 2040 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DDA281 pushad ; retf	0_2_02DDA282
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DDA25D pushad ; retf	0_2_02DDA25E
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD0A85 push edi; retf	0_2_02DD0A82
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD0A6D push edi; retf	0_2_02DD0A82
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072C7248 pushfd ; retf	0_2_072C7255
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_089599C0 push eax; retf	0_2_089599C1

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Window / User API: threadDelayed 2634			Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Window / User API: threadDelayed 7167			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98471s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98340s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95105s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94996s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94561s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99091	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98753	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98471	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98340	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98207	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97749	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96874	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96764	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96546	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96108	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95999	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95764	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95655	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95546	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95435	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95327	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95105	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94996	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94889	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94668	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94561	Jump to behavior

Source: XWe8H4gRPb.exe, 00000000.00000002.3340281508.00000000012D3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Users\user\Desktop\XWe8H4gRPb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	uebki.one	European Union		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
uebki.one	188.114.96.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://uebki.one/version.txt	true		unknown

AV Detection

Multi AV Scanner detection for domain / URL

Source: uebki.one	Virustotal: Detection: 15%	Perma Link
Source: https://uebki.one/api/not_working.php?0=	Virustotal: Detection: 9%	Perma Link
Source: https://uebki.one/api/zapret_readyconfigs.txt	Virustotal: Detection: 12%	Perma Link
Source: https://uebki.one/api/InfoAboutVPN.php	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: XWe8H4gRPb.exe	ReversingLabs: Detection: 18%
Source: XWe8H4gRPb.exe	Virustotal: Detection: 10%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: XWe8H4gRPb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\swordily\source\repos\GoodbyeDPIConfigs\GoodbyeDPIConfigs\obj\Release\GoodbyeDPIConfigs.pdb source: XWe8H4gRPb.exe

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /version.txt HTTP/1.1User-Agent: GoodbyeDPI Configs 1.5.6Host: uebki.oneConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: uebki.one

Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uebki.one
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uebki.oned
Source: XWe8H4gRPb.exe	String found in binary or memory: https://cdn.uebki.one/Coprer.conf
Source: XWe8H4gRPb.exe	String found in binary or memory: https://cdn.uebki.one/awg.exe?https://cdn.uebki.one/magic.exeAhttps://cdn.uebki.one/wintun.dll
Source: XWe8H4gRPb.exe	String found in binary or memory: https://rr1---sn-4g5lznek.googlevideo.com
Source: XWe8H4gRPb.exe, 00000000.00000002.3343230059.0000000006F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rr1---sn-4g5lznek.googlevideo.com4
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uebki.one
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/GoodbyeDPIConfigs.exe
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/antizapret/antizapret.zip
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/antizapret/domains-export.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/InfoAboutVPN.php
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/SendConfigRequest.php?0=0
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/SendConfigRequest.php?0=;.
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/gdpi_strateg.txt-_strategyCurlExtraKeys%_strategyExtraKeys
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/not_working.php?0=
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/zapret_readyconfigs.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/zapret_strateg.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/goodbyedpi_configs/
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/version.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one9https://uebki.one/donate.php

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD4E40	0_2_02DD4E40
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD9498	0_2_02DD9498
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD948B	0_2_02DD948B
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07133704	0_2_07133704
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_0713AD98	0_2_0713AD98
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07135652	0_2_07135652
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07133454	0_2_07133454
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_0713AD8A	0_2_0713AD8A
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072DD5F0	0_2_072DD5F0
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072D22C4	0_2_072D22C4
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08952908	0_2_08952908
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08954ED1	0_2_08954ED1
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08951E50	0_2_08951E50
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_089528F8	0_2_089528F8
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08951E50	0_2_08951E50
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08954ED1	0_2_08954ED1

Sample file is different than original file name gathered from version info

Source: XWe8H4gRPb.exe, 00000000.00000000.2098737315.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGoodbyeDPIConfigs.exe" vs XWe8H4gRPb.exe
Source: XWe8H4gRPb.exe, 00000000.00000002.3340281508.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs XWe8H4gRPb.exe
Source: XWe8H4gRPb.exe	Binary or memory string: OriginalFilenameGoodbyeDPIConfigs.exe" vs XWe8H4gRPb.exe

Source: classification engine

Classification label: mal60.winEXE@6/0@1/1

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03

Source: XWe8H4gRPb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XWe8H4gRPb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XWe8H4gRPb.exe	ReversingLabs: Detection: 18%
Source: XWe8H4gRPb.exe	Virustotal: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\XWe8H4gRPb.exe "C:\Users\user\Desktop\XWe8H4gRPb.exe"
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dwrite.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: XWe8H4gRPb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XWe8H4gRPb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: XWe8H4gRPb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\swordily\source\repos\GoodbyeDPIConfigs\GoodbyeDPIConfigs\obj\Release\GoodbyeDPIConfigs.pdb source: XWe8H4gRPb.exe

Binary contains a suspicious time stamp

Source: XWe8H4gRPb.exe

Static PE information: 0x83F6D5B1 [Mon Feb 27 21:44:17 2040 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DDA281 pushad ; retf	0_2_02DDA282
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DDA25D pushad ; retf	0_2_02DDA25E
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD0A85 push edi; retf	0_2_02DD0A82
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD0A6D push edi; retf	0_2_02DD0A82
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072C7248 pushfd ; retf	0_2_072C7255
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_089599C0 push eax; retf	0_2_089599C1

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Window / User API: threadDelayed 2634			Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Window / User API: threadDelayed 7167			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98471s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98340s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95105s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94996s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94561s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99091	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98753	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98471	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98340	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98207	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97749	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96874	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96764	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96546	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96108	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95999	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95764	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95655	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95546	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95435	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95327	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95105	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94996	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94889	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94668	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94561	Jump to behavior

Source: XWe8H4gRPb.exe, 00000000.00000002.3340281508.00000000012D3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Users\user\Desktop\XWe8H4gRPb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1543564
Product:	CloudBasic
Start time:	06:28:06
Start date:	28.10.2024
Sample:	XWe8H4gRPb.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7693e44d877f22b963348c44f6a20110
SHA1:	95bb436cedfa9f132c7bf62e4590c51190d66ecf
SHA256:	c652c39afdf675042c1ebc539169db5e198276463ee8b6d16380d45374884110
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report
XWe8H4gRPb.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report XWe8H4gRPb.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
XWe8H4gRPb.exe