Edit tour

Windows Analysis Report
XWe8H4gRPb.exe

Overview

General Information

Sample name:	XWe8H4gRPb.exe renamed because original name is a hash value
Original sample name:	7693e44d877f22b963348c44f6a20110.exe
Analysis ID:	1543564
MD5:	7693e44d877f22b963348c44f6a20110
SHA1:	95bb436cedfa9f132c7bf62e4590c51190d66ecf
SHA256:	c652c39afdf675042c1ebc539169db5e198276463ee8b6d16380d45374884110
Tags:	32exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

XWe8H4gRPb.exe (PID: 964 cmdline: "C:\Users\user\Desktop\XWe8H4gRPb.exe" MD5: 7693E44D877F22B963348C44F6A20110)

cmd.exe (PID: 6416 cmdline: "cmd.exe" /c sc query "GoodbyeDPI" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3080 cmdline: sc query "GoodbyeDPI" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

cleanup

Sigma Signatures

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query "GoodbyeDPI", CommandLine: sc query "GoodbyeDPI", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "cmd.exe" /c sc query "GoodbyeDPI", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6416, ParentProcessName: cmd.exe, ProcessCommandLine: sc query "GoodbyeDPI", ProcessId: 3080, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: uebki.one	Virustotal: Detection: 15%	Perma Link
Source: https://uebki.one/api/not_working.php?0=	Virustotal: Detection: 9%	Perma Link
Source: https://uebki.one/api/zapret_readyconfigs.txt	Virustotal: Detection: 12%	Perma Link
Source: https://uebki.one/api/InfoAboutVPN.php	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: XWe8H4gRPb.exe	ReversingLabs: Detection: 18%
Source: XWe8H4gRPb.exe	Virustotal: Detection: 10%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: XWe8H4gRPb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\swordily\source\repos\GoodbyeDPIConfigs\GoodbyeDPIConfigs\obj\Release\GoodbyeDPIConfigs.pdb source: XWe8H4gRPb.exe

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /version.txt HTTP/1.1User-Agent: GoodbyeDPI Configs 1.5.6Host: uebki.oneConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: uebki.one

Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uebki.one
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uebki.oned
Source: XWe8H4gRPb.exe	String found in binary or memory: https://cdn.uebki.one/Coprer.conf
Source: XWe8H4gRPb.exe	String found in binary or memory: https://cdn.uebki.one/awg.exe?https://cdn.uebki.one/magic.exeAhttps://cdn.uebki.one/wintun.dll
Source: XWe8H4gRPb.exe	String found in binary or memory: https://rr1---sn-4g5lznek.googlevideo.com
Source: XWe8H4gRPb.exe, 00000000.00000002.3343230059.0000000006F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rr1---sn-4g5lznek.googlevideo.com4
Source: XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uebki.one
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/GoodbyeDPIConfigs.exe
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/antizapret/antizapret.zip
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/antizapret/domains-export.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/InfoAboutVPN.php
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/SendConfigRequest.php?0=0
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/SendConfigRequest.php?0=;.
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/gdpi_strateg.txt-_strategyCurlExtraKeys%_strategyExtraKeys
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/not_working.php?0=
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/zapret_readyconfigs.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/api/zapret_strateg.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/goodbyedpi_configs/
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one/version.txt
Source: XWe8H4gRPb.exe	String found in binary or memory: https://uebki.one9https://uebki.one/donate.php

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD4E40	0_2_02DD4E40
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD9498	0_2_02DD9498
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD948B	0_2_02DD948B
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07133704	0_2_07133704
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_0713AD98	0_2_0713AD98
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07135652	0_2_07135652
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_07133454	0_2_07133454
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_0713AD8A	0_2_0713AD8A
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072DD5F0	0_2_072DD5F0
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072D22C4	0_2_072D22C4
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08952908	0_2_08952908
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08954ED1	0_2_08954ED1
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08951E50	0_2_08951E50
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_089528F8	0_2_089528F8
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08951E50	0_2_08951E50
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_08954ED1	0_2_08954ED1

Source: XWe8H4gRPb.exe, 00000000.00000000.2098737315.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGoodbyeDPIConfigs.exe" vs XWe8H4gRPb.exe
Source: XWe8H4gRPb.exe, 00000000.00000002.3340281508.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs XWe8H4gRPb.exe
Source: XWe8H4gRPb.exe	Binary or memory string: OriginalFilenameGoodbyeDPIConfigs.exe" vs XWe8H4gRPb.exe

Source: classification engine

Classification label: mal60.winEXE@6/0@1/1

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03

Source: XWe8H4gRPb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XWe8H4gRPb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XWe8H4gRPb.exe	ReversingLabs: Detection: 18%
Source: XWe8H4gRPb.exe	Virustotal: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\XWe8H4gRPb.exe "C:\Users\user\Desktop\XWe8H4gRPb.exe"
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Section loaded: dwrite.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: XWe8H4gRPb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XWe8H4gRPb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: XWe8H4gRPb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\swordily\source\repos\GoodbyeDPIConfigs\GoodbyeDPIConfigs\obj\Release\GoodbyeDPIConfigs.pdb source: XWe8H4gRPb.exe

Source: XWe8H4gRPb.exe

Static PE information: 0x83F6D5B1 [Mon Feb 27 21:44:17 2040 UTC]

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DDA281 pushad ; retf	0_2_02DDA282
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DDA25D pushad ; retf	0_2_02DDA25E
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD0A85 push edi; retf	0_2_02DD0A82
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_02DD0A6D push edi; retf	0_2_02DD0A82
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_072C7248 pushfd ; retf	0_2_072C7255
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Code function: 0_2_089599C0 push eax; retf	0_2_089599C1

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Window / User API: threadDelayed 2634			Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Window / User API: threadDelayed 7167			Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -99091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98471s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98340s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -96108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -95105s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94996s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe TID: 5176	Thread sleep time: -94561s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 99091	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98753	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98471	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98340	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98207	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97749	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96874	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96764	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96546	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 96108	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95999	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95764	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95655	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95546	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95435	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95327	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95218	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 95105	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94996	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94889	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94668	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Thread delayed: delay time: 94561	Jump to behavior

Source: XWe8H4gRPb.exe, 00000000.00000002.3340281508.00000000012D3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c sc query "GoodbyeDPI"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc query "GoodbyeDPI"			Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Users\user\Desktop\XWe8H4gRPb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\XWe8H4gRPb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\XWe8H4gRPb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Windows Service	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
XWe8H4gRPb.exe	18%	ReversingLabs	Win32.Trojan.MalUri
XWe8H4gRPb.exe	11%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
uebki.one	16%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://uebki.one/api/not_working.php?0=	9%	Virustotal		Browse
https://uebki.one/api/zapret_readyconfigs.txt	12%	Virustotal		Browse
https://uebki.one/api/InfoAboutVPN.php	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
uebki.one	188.114.96.3	true	false	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://uebki.one/version.txt	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://uebki.one/api/InfoAboutVPN.php	XWe8H4gRPb.exe	true	14%, Virustotal, Browse	unknown
https://cdn.uebki.one/Coprer.conf	XWe8H4gRPb.exe	true		unknown
https://uebki.one/api/not_working.php?0=	XWe8H4gRPb.exe	true	9%, Virustotal, Browse	unknown
https://uebki.one/api/zapret_readyconfigs.txt	XWe8H4gRPb.exe	true	12%, Virustotal, Browse	unknown
https://uebki.one/api/SendConfigRequest.php?0=;.	XWe8H4gRPb.exe	true		unknown
https://rr1---sn-4g5lznek.googlevideo.com4	XWe8H4gRPb.exe, 00000000.00000002.3343230059.0000000006F3E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://uebki.one/GoodbyeDPIConfigs.exe	XWe8H4gRPb.exe	true		unknown
http://uebki.oned	XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://cdn.uebki.one/awg.exe?https://cdn.uebki.one/magic.exeAhttps://cdn.uebki.one/wintun.dll	XWe8H4gRPb.exe	true		unknown
https://uebki.one	XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://uebki.one/	XWe8H4gRPb.exe	true		unknown
https://uebki.one/api/zapret_strateg.txt	XWe8H4gRPb.exe	true		unknown
https://rr1---sn-4g5lznek.googlevideo.com	XWe8H4gRPb.exe	false		unknown
https://uebki.one/api/gdpi_strateg.txt-_strategyCurlExtraKeys%_strategyExtraKeys	XWe8H4gRPb.exe	true		unknown
https://uebki.one9https://uebki.one/donate.php	XWe8H4gRPb.exe	true		unknown
https://uebki.one/api/SendConfigRequest.php?0=0	XWe8H4gRPb.exe	true		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://uebki.one	XWe8H4gRPb.exe, 00000000.00000002.3341182711.0000000002FD6000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://uebki.one/antizapret/antizapret.zip	XWe8H4gRPb.exe	true		unknown
https://uebki.one/goodbyedpi_configs/	XWe8H4gRPb.exe	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	uebki.one	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543564
Start date and time:	2024-10-28 06:28:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XWe8H4gRPb.exe renamed because original name is a hash value
Original Sample Name:	7693e44d877f22b963348c44f6a20110.exe
Detection:	MAL
Classification:	mal60.winEXE@6/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 62 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:28:54	API Interceptor	545253x Sleep call for process: XWe8H4gRPb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	9D7RwuJrth.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	304773cm.n9shteam.in/jscpuGamegeneratorprivate.php
	DBUfLVzZhf.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	R5AREmpD4S.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	7950COPY.exe	Get hash	malicious	FormBook	Browse	www.globaltrend.xyz/b2h2/
	transferencia interbancaria_667553466579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/Gitmx
	19387759999PO-RFQ-INVOICE-doc.exe	Get hash	malicious	FormBook	Browse	www.zonguldakescortg.xyz/483l/
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/876i/
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.fnsds.org/
	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
uebki.one	6VTskjqyxX.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	6VTskjqyxX.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	dmhu7oz5yP.exe	Get hash	malicious	DCRat	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z45paymentadvice.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	188.114.96.3
	rFa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Remittance Receipt.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	188.114.96.3
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	188.114.96.3

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.634024070549135
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	XWe8H4gRPb.exe
File size:	66'560 bytes
MD5:	7693e44d877f22b963348c44f6a20110
SHA1:	95bb436cedfa9f132c7bf62e4590c51190d66ecf
SHA256:	c652c39afdf675042c1ebc539169db5e198276463ee8b6d16380d45374884110
SHA512:	f687b1a973b1e0e775cc3bd12af6a9f1ef7deebebd2830cc1afa17a4dd9ab0c71e40aaab415370f5a7cdaae1d343bb9feca745a17d0e71481fd3aceb8e0802b8
SSDEEP:	1536:XlVAlGP7Pp5RoAKoAydsBj635m2VO6fqA:XlE8aAbdsB05m8O6yA
TLSH:	3853084533F84317D33D86FA15A165830BB27217BA21E2C86CCF65ED22E2B609360F97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4106b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x83F6D5B1 [Mon Feb 27 21:44:17 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10661	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x1618	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x105ac	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe6bc	0xe800	dd6ff33ec74906e65578e5d8b29cdcd3	False	0.3776939655172414	OpenPGP Secret Key	5.5792527302202455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x1618	0x1800	b4a77d8deac1e4bbf67cf4765e03879f	False	0.3732096354166667	data	5.264091198960547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	0a570bed3c34634a4f79f3d889f94370	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x12090	0x388	data			0.43694690265486724
RT_MANIFEST	0x12428	0x11eb	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.4022236756049706

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 06:28:56.039335012 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 06:28:56.039374113 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:56.039494038 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 06:28:56.052210093 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 06:28:56.052227974 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:56.805668116 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:56.805845022 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 06:28:56.810245991 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 06:28:56.810255051 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:56.810564995 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:56.856971979 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 06:28:56.899333954 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:57.267663002 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:57.267904043 CET	443	49709	188.114.96.3	192.168.2.6
Oct 28, 2024 06:28:57.267978907 CET	49709	443	192.168.2.6	188.114.96.3
Oct 28, 2024 06:28:57.274171114 CET	49709	443	192.168.2.6	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 06:28:56.017426014 CET	59092	53	192.168.2.6	1.1.1.1
Oct 28, 2024 06:28:56.030255079 CET	53	59092	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 06:28:56.017426014 CET	192.168.2.6	1.1.1.1	0x338c	Standard query (0)	uebki.one	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 06:28:56.030255079 CET	1.1.1.1	192.168.2.6	0x338c	No error (0)	uebki.one		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 28, 2024 06:28:56.030255079 CET	1.1.1.1	192.168.2.6	0x338c	No error (0)	uebki.one		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

uebki.one

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	188.114.96.3	443	964	C:\Users\user\Desktop\XWe8H4gRPb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-28 05:28:56 UTC	108	OUT	GET /version.txt HTTP/1.1 User-Agent: GoodbyeDPI Configs 1.5.6 Host: uebki.one Connection: Keep-Alive
2024-10-28 05:28:57 UTC	916	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 05:28:57 GMT Content-Type: text/plain Content-Length: 31 Connection: close Last-Modified: Sun, 27 Oct 2024 07:46:41 GMT ETag: "671defe1-1f" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dem9eB1FNUUfLEfrh5JR7wX1LKivFsTuMTqNv1rmg1ObmZlywMEXVp%2F59y0qDXF1eE53ZIV1lJSqKWYBQwDMkMZBxWT9InLAFXuQbPS5m9HefIpueBeUjYXFQw8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8d98867bcb09478d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1077&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2792&recv_bytes=726&delivery_rate=2671586&cwnd=247&unsent_bytes=0&cid=11654e8af4046952&ts=610&x=0"
2024-10-28 05:28:57 UTC	31	IN	Data Raw: 31 2e 35 2e 35 7c 67 6f 6f 64 62 79 65 64 70 69 2d 30 2e 32 2e 33 72 63 33 2d 32 2e 7a 69 70 Data Ascii: 1.5.5\|goodbyedpi-0.2.3rc3-2.zip

Target ID:	0
Start time:	01:28:54
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\XWe8H4gRPb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XWe8H4gRPb.exe"
Imagebase:	0xce0000
File size:	66'560 bytes
MD5 hash:	7693E44D877F22B963348C44F6A20110
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	01:29:00
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /c sc query "GoodbyeDPI"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:29:00
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:29:00
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc query "GoodbyeDPI"
Imagebase:	0x700000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7%
Total number of Nodes:	961
Total number of Limit Nodes:	51

Executed Functions

Function 0713AD8A Relevance: 31.4, Strings: 24, Instructions: 1413
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 0713B626
, xrefs: 0713B061
`, xrefs: 0713B6F2
F, xrefs: 0713BECE
a, xrefs: 0713BA48
%, xrefs: 0713B3F6
!, xrefs: 0713C0BD
!, xrefs: 0713C1B3
&, xrefs: 0713B23A
l, xrefs: 0713BC47
_, xrefs: 0713B334
e, xrefs: 0713B0FF
I, xrefs: 0713BFB2
2, xrefs: 0713B5C7
8, xrefs: 0713B751
a, xrefs: 0713B942
&, xrefs: 0713BA52
D, xrefs: 0713BFFB
6, xrefs: 0713B83C
-, xrefs: 0713BDD8
&, xrefs: 0713BB48
&, xrefs: 0713B50E
-, xrefs: 0713B14C
&, xrefs: 0713B94C

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID: $!$!$%$&$&$&$&$&$-$-$-$2$6$8$D$F$I$_$`$a$a$e$l
API String ID: 0-146802345
Opcode ID: 40907606586cfb92532c11d3eeb372e3faea797193f39580a9480f1f6a7e9298
Instruction ID: f8719c94bb818d39ae6550b0fb14a1fcae2cd3c0e1beda99df66c8ed41d6cda0
Opcode Fuzzy Hash: 40907606586cfb92532c11d3eeb372e3faea797193f39580a9480f1f6a7e9298
Instruction Fuzzy Hash: 64E23870A10705CFCB25EF34C8506AEB7B2BF99304F5186ADD09A6B390DB75A985CF81

Function 0713AD98 Relevance: 31.4, Strings: 24, Instructions: 1408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 0713B626
, xrefs: 0713B061
`, xrefs: 0713B6F2
F, xrefs: 0713BECE
a, xrefs: 0713BA48
%, xrefs: 0713B3F6
!, xrefs: 0713C0BD
!, xrefs: 0713C1B3
&, xrefs: 0713B23A
l, xrefs: 0713BC47
_, xrefs: 0713B334
e, xrefs: 0713B0FF
I, xrefs: 0713BFB2
2, xrefs: 0713B5C7
8, xrefs: 0713B751
a, xrefs: 0713B942
&, xrefs: 0713BA52
D, xrefs: 0713BFFB
6, xrefs: 0713B83C
-, xrefs: 0713BDD8
&, xrefs: 0713BB48
&, xrefs: 0713B50E
-, xrefs: 0713B14C
&, xrefs: 0713B94C

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID: $!$!$%$&$&$&$&$&$-$-$-$2$6$8$D$F$I$_$`$a$a$e$l
API String ID: 0-146802345
Opcode ID: 3c9e2fc128e420e71c87f5dfa761323d3aaea601845e5beb887c73062d981d2e
Instruction ID: df1edc6510a8ec44c6299bf39db2bd0fb47917147c0ae9d3387187b205eaed37
Opcode Fuzzy Hash: 3c9e2fc128e420e71c87f5dfa761323d3aaea601845e5beb887c73062d981d2e
Instruction Fuzzy Hash: 95E23870A10705CFCB25EF34C8506AEB7B2BF99304F5186ADD09A6B390DB75A985CF81

Function 08952908 Relevance: 1.9, Strings: 1, Instructions: 693
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fff?, xrefs: 08952F6F

Memory Dump Source

Source File: 00000000.00000002.3343869907.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: 4c65f71cb7ed11e656f4717d7c8432188d3b36fbe6fd9d8ef048071a7658dfa2
Instruction ID: eeac38507e70e59da1cd085a8111c0659fc39d8f6adb5fa6ba4740d00e4fa865
Opcode Fuzzy Hash: 4c65f71cb7ed11e656f4717d7c8432188d3b36fbe6fd9d8ef048071a7658dfa2
Instruction Fuzzy Hash: 84622B3581061ADFCF11DF60C884AD9B7B2FF99304F1586D9E9086B261EB71AAD5CF80

Function 089528F8 Relevance: 1.7, Strings: 1, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fff?, xrefs: 08952F6F

Memory Dump Source

Source File: 00000000.00000002.3343869907.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID: fff?
API String ID: 0-4136771917
Opcode ID: be3a1232ccbc6fc071db50ad9c4387a168600df80d0a8441e6e324d382a13a80
Instruction ID: c8fb80487a964339b3d768ae45d151b403ff4463591e3b6fdcd9bfddfe8693a0
Opcode Fuzzy Hash: be3a1232ccbc6fc071db50ad9c4387a168600df80d0a8441e6e324d382a13a80
Instruction Fuzzy Hash: 9E124B35800619DFCF11DF50C888AD9BBB2FF49304F158599E9086F266DB72AE96DF80

Function 08951E50 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3343869907.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7705e75f972c948f6321a7eb54ac2c37372576d637806eb1a971e949e87108
Instruction ID: 2a14f754ff624e63a48508976744c07e776cf0ef07228e9f16a2e07ac3594959
Opcode Fuzzy Hash: 5d7705e75f972c948f6321a7eb54ac2c37372576d637806eb1a971e949e87108
Instruction Fuzzy Hash: 6D524B35A11619CFCB25EF64C844BE9B7B1FF49305F1486D9E909AB261EB31EA81CF40

Function 08954ED1 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3343869907.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbe48c687f865d5598ffec672ddff49b3ded5b4f28eeb4ac84ec3f0f0237b3d
Instruction ID: e14160b877f90cdfba3ebe5e6487248891dd04ab8f69e60287058a78e57faf43
Opcode Fuzzy Hash: fbbe48c687f865d5598ffec672ddff49b3ded5b4f28eeb4ac84ec3f0f0237b3d
Instruction Fuzzy Hash: FE324831A10619CFDB21EF64C944BD9B7B2FF89305F1185E9E809AB261DB71EA85CF40

Function 072D22C4 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8790676fffe0e2a78a48edeb08e6aa160a515089e3d07ba51055a7dbf3b8f5c
Instruction ID: 8b38753f12efa667b44b97bcc770cab4c52691d6ff1e3b368196d0f78754c5fd
Opcode Fuzzy Hash: d8790676fffe0e2a78a48edeb08e6aa160a515089e3d07ba51055a7dbf3b8f5c
Instruction Fuzzy Hash: 14F191B4730652CFDB18AB35C594A2D33A6AF8A601F54806DD906CB3A5EFB4DC45CB83

Function 072DD5F0 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8a55665696d5a371ad73551b57de78bb8849c3e3a9197b29cead50a9d1562a90
Instruction ID: 2a3d38fb4b8c47622af62fb532acce2f48bc700899cba25e52207740ad01af1c
Opcode Fuzzy Hash: 8a55665696d5a371ad73551b57de78bb8849c3e3a9197b29cead50a9d1562a90
Instruction Fuzzy Hash: 06F14DB0A1060ACFEB14DFA9C944B9DBBF1BF88714F15C159E405AB395DBB0AD45CB80

Function 02DD4E40 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f530d2106be77be56279cf0ef9a0713b10a4f256a32800bf24a5a0f1485843
Instruction ID: 9ae76911398cc7a9a8accca264521f8f503eefe6de7a7d934c24f9d628addce2
Opcode Fuzzy Hash: f0f530d2106be77be56279cf0ef9a0713b10a4f256a32800bf24a5a0f1485843
Instruction Fuzzy Hash: 1EE190307007499FEB19EF64D850BAD7BB2BF89310F548569E602AB395DB71EC42CB90

Function 07133704 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fb61b0045cd0c037928a8c32e20a465a96ae8a71830d0d7969026bbad32bd7
Instruction ID: 7e388ecb431673532274387824d2f8093e871eab123de49035472793364f24f8
Opcode Fuzzy Hash: 49fb61b0045cd0c037928a8c32e20a465a96ae8a71830d0d7969026bbad32bd7
Instruction Fuzzy Hash: D1A19FB5E1031ADFDB05DFB0D8949DDBBBAFF89310F158215E416AB2A0EB30A941CB50

Function 07135652 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba049fde0c5eb13a1286aec1b5c0d009cbae3920ab7eaa1ca8da601f146d72f1
Instruction ID: cbcef1cae76b17e016a68fa14d1582ae298accbf1aec197fdf6c1a3704f42ee8
Opcode Fuzzy Hash: ba049fde0c5eb13a1286aec1b5c0d009cbae3920ab7eaa1ca8da601f146d72f1
Instruction Fuzzy Hash: 5B9191B5E1035ADFCB05DFB0D8449DDFBBAFF99310B158215E416AB2A0EB30A981CB50

Function 07130040 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 07130296

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b4771140d9c472f1d69d7628cefbcf84ee7f27b73024e6918060802bdeae5243
Instruction ID: 1fd33d3b6bab2480dd66d712e65b74a951c05fad1fbb8227586556b5a8625d9e
Opcode Fuzzy Hash: b4771140d9c472f1d69d7628cefbcf84ee7f27b73024e6918060802bdeae5243
Instruction Fuzzy Hash: DC7139B0A00B068FDB25DF69D45075ABBF2FF88740F00892DD486DBA90EB75E945CB91

Function 07168620 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,03F561D0,030093B8,?,00000000), ref: 0716877E

Memory Dump Source

Source File: 00000000.00000002.3343478380.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_XWe8H4gRPb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 96a2d8fc710a8bbd0f7d9895b31064e67ba6abb73f10c25c5dcadf19e2b446bf
Instruction ID: c6527c196068d58cf8d6e6f3d79aba3d6d60a42c610036750f5b3b232181220c
Opcode Fuzzy Hash: 96a2d8fc710a8bbd0f7d9895b31064e67ba6abb73f10c25c5dcadf19e2b446bf
Instruction Fuzzy Hash: 01718EB4A11209EFCB15DF69D498DAEBBB6BF48724F114098F901AB361DB31E891CB50

Function 07135347 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 07135462

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f7f14f4cdd1b7bd09ea590f8ea27608e5b7d87b9fc4b0f9f8fb909c3ced08bb
Instruction ID: c1a8b9e1f6762f11cc4bdf84db951334c212bc95c5960c6cbb97125abafa9f18
Opcode Fuzzy Hash: 2f7f14f4cdd1b7bd09ea590f8ea27608e5b7d87b9fc4b0f9f8fb909c3ced08bb
Instruction Fuzzy Hash: 0951A1B1D00349DFDB14CFA9C984ADEBBB6FF48710F24812AE819AB250D7759855CF90

Function 071336B0 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 07135462

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 04f9065520d3297b60f816859fc354f4ab74d5e548352b3a8c719373fde7d8bb
Instruction ID: 732b77b8fc5675c7e2a22a1b74a4330fcf907e78eb2cbd5ddaee85f7917ad4a4
Opcode Fuzzy Hash: 04f9065520d3297b60f816859fc354f4ab74d5e548352b3a8c719373fde7d8bb
Instruction Fuzzy Hash: 9A51B1B1D00349DFDF14CFA9C984ADEBBB6BF48710F24812AE819AB250D7759855CF90

Function 072DE3E8 Relevance: 1.6, APIs: 1, Instructions: 101
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,072DD917), ref: 072DE3BD

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a3bb8704761706a53e3089d47a34f235e7987add87185dab5f71b28b6f7626a1
Instruction ID: b1329d1878f5eda34fa05a4c086273560e1d2a565755282505926bf6a25b44d6
Opcode Fuzzy Hash: a3bb8704761706a53e3089d47a34f235e7987add87185dab5f71b28b6f7626a1
Instruction Fuzzy Hash: F14156B5E1025ACFDB14DFA9D884AEDBBF0BF49310F0581AAD415AB361C774A844CFA1

Function 02DDB494 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02DDB551

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4a6c2dab918397ac0ef72566f8dcd870b1b67929e47d8bdc3d7d999c26a917b9
Instruction ID: 255655188163406764653dd850bb985b140570eced751a730697301f4ffb65cd
Opcode Fuzzy Hash: 4a6c2dab918397ac0ef72566f8dcd870b1b67929e47d8bdc3d7d999c26a917b9
Instruction Fuzzy Hash: B341CFB0C00719CBEB24CFA9C944BDEBBB5BF48708F20816AD508AB255DBB56945CF90

Function 07133804 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 07137B61

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: af52b1d897269cfac281d656f0d73129f11db8c924b0a47f27974cd0da9203b6
Instruction ID: f6f16202c0a4ac0e7ab66aa393cec1c35e226d63b8bda68e844a9ea7dc2e2909
Opcode Fuzzy Hash: af52b1d897269cfac281d656f0d73129f11db8c924b0a47f27974cd0da9203b6
Instruction Fuzzy Hash: 154138F4900209CFDB14CF99C488BAABBF6FF88314F248458D519AB3A1D774A941CBA0

Function 02DDA32C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02DDB551

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d06bfd72bfcb275621d395e278227fa4870411f92b025c9159bd05a2dc3ac033
Instruction ID: 39fbe165b7c1461293b7e9674d1b2c4b07eb46bbf6d0d324e8014c8129b754ef
Opcode Fuzzy Hash: d06bfd72bfcb275621d395e278227fa4870411f92b025c9159bd05a2dc3ac033
Instruction Fuzzy Hash: 8241CFB0C0071DCBEB24CFA9C944B9EBBB5BF48308F20816AD518AB251DBB56945CF90

Function 07165C48 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,071672E5,?,?), ref: 07167397

Memory Dump Source

Source File: 00000000.00000002.3343478380.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_XWe8H4gRPb.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: ac79fadd3f625a410f5eee7c3d20e454fe3a73e805a921b6a27fbb2e48aee594
Instruction ID: 95b232350761d868f29a224969d51f8169ed701396fec95144d6bb128bda301c
Opcode Fuzzy Hash: ac79fadd3f625a410f5eee7c3d20e454fe3a73e805a921b6a27fbb2e48aee594
Instruction Fuzzy Hash: 0C31E2B190030A9FDB11CF9AD884ADEBBF5BF48224F14842AE919A7250D774A954CFA0

Function 0713555B Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,-00000014,?), ref: 071355F5

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8dc38a180cf8bc352320fe9e472605dbb8e45cdd97186f95ead291427c75454c
Instruction ID: 6b2ac84e74a5c8bb65041e8cb0de81977372c50fcd74fbb48c3d660349210ebf
Opcode Fuzzy Hash: 8dc38a180cf8bc352320fe9e472605dbb8e45cdd97186f95ead291427c75454c
Instruction Fuzzy Hash: 982168B1800249EFCB10CFA9E945B8ABBFAFB48714F19845AE804A7251D375A914CFA0

Function 072DDC60 Relevance: 1.6, APIs: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,072DD7D2,00000000,00000000,03F561D0,030093B8), ref: 072DDC20

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 4f8990c3a8715ab3503e42ca9350054e93c107985898bcffdcb4a231052fc931
Instruction ID: b44268a53a4b49c00794aa45246886a21516683df9bc5b655690c493152603e2
Opcode Fuzzy Hash: 4f8990c3a8715ab3503e42ca9350054e93c107985898bcffdcb4a231052fc931
Instruction Fuzzy Hash: 7B2187B29046499FDB20CF99C580BEEBBF4EF48320F14806AD554A7252C3B8A944CFA1

Function 07165C3C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,071672E5,?,?), ref: 07167397

Memory Dump Source

Source File: 00000000.00000002.3343478380.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_XWe8H4gRPb.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b1a42297b1f0a166a7eef271b91a3fdfd5f168cd15119588a686670b21dbfcce
Instruction ID: ca8cdcf380f7a7182a3ded28afa7944ccab955815bc2680f6f260b9da24c0848
Opcode Fuzzy Hash: b1a42297b1f0a166a7eef271b91a3fdfd5f168cd15119588a686670b21dbfcce
Instruction Fuzzy Hash: 8E31E5B5D003099FDB10CF9AD984A9EFBF4FB48314F14842AE919A7350D774A950CFA0

Function 07165C40 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,071672E5,?,?), ref: 07167397

Memory Dump Source

Source File: 00000000.00000002.3343478380.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_XWe8H4gRPb.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8a146cefdab16b7190fe52c492333c2e4d1c998b6dc9b216436dc7ebaff60315
Instruction ID: b834796585682c93e62c7ac67861df40a481feff79346d92cefe6f9cd03f261b
Opcode Fuzzy Hash: 8a146cefdab16b7190fe52c492333c2e4d1c998b6dc9b216436dc7ebaff60315
Instruction Fuzzy Hash: 9231E4B59003099FDB10CF9AD884ADEFBF4FB48314F14842AE919A7350D774A550CFA0

Function 071672FF Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,071672E5,?,?), ref: 07167397

Memory Dump Source

Source File: 00000000.00000002.3343478380.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_XWe8H4gRPb.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 17c67db18ab3760f43d5278da34379ae62ef80724a0ff5f97041c6293bf267b4
Instruction ID: 4b2c1d6bea1e385ef226f853723f26131a94d455851e78d10d0ba45a10658f19
Opcode Fuzzy Hash: 17c67db18ab3760f43d5278da34379ae62ef80724a0ff5f97041c6293bf267b4
Instruction Fuzzy Hash: 5221C2B590020A9FDB10CF9AD884ADEFBF5BB48224F14842AE919A7250D774A554CFA0

Function 072D08E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 072D0964

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: b72fd2c0614b089bc3b38e6f5b035662d52dce3bdf8ae7633faa1c8e003daa0c
Instruction ID: f248dcdf4b0b8948a0e47b4de9e32e9aabc0f4eb547419bc72dbfe65db875ef5
Opcode Fuzzy Hash: b72fd2c0614b089bc3b38e6f5b035662d52dce3bdf8ae7633faa1c8e003daa0c
Instruction Fuzzy Hash: CA2128B2D0070A9FDB10CFAAC984ADEFBF5FF48720F14842AD458A3210D374AA44CB64

Function 02DD857C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DD8996,?,?,?,?,?), ref: 02DD8A57

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c4ba7959457bb793b53cb6bc612991542b7e3e07b09dff5c13e583e1c64a9f00
Instruction ID: dd4b1a3688f11ffce3c400e549a77c34ccef0ae644fa044a9cbfc943b0075616
Opcode Fuzzy Hash: c4ba7959457bb793b53cb6bc612991542b7e3e07b09dff5c13e583e1c64a9f00
Instruction Fuzzy Hash: 902103B5900608DFDB10CF9AD984AEEBBF4FB48320F14846AE918A3310D374A950CFA4

Function 02DD89C8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DD8996,?,?,?,?,?), ref: 02DD8A57

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7276599a7543f54c444aaa433675706eb117285a26fd30de20965a5f7b95b432
Instruction ID: 28926ab9b98e4e0e04451f33fe5b4ba3c4ee722b3000839324953e8d869dde7a
Opcode Fuzzy Hash: 7276599a7543f54c444aaa433675706eb117285a26fd30de20965a5f7b95b432
Instruction Fuzzy Hash: CF21E3B5900249DFDB10CFAAD984ADEBFF5FB48320F14845AE918A3310D378A950CFA5

Function 02DDA6A9 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,02DDA690,03F561D0,030093B8), ref: 02DDA721

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 82d2ea5d6082dadf434de66f43a312cbf1ac73d615806d7454ff75bb5e8f7fa2
Instruction ID: 5ba688eafa5b0cae98b15cea47559db38bbded26a50bac565236548744050fb6
Opcode Fuzzy Hash: 82d2ea5d6082dadf434de66f43a312cbf1ac73d615806d7454ff75bb5e8f7fa2
Instruction Fuzzy Hash: 3E2135B190064A9FDB10CF9AC844BEEFBF9FB88324F14842AD455A7350D778A944CFA1

Function 02DD8944 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,02DDA690,03F561D0,030093B8), ref: 02DDA721

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: f50057c8dd469c3f0289662d041de5b31947fbab774378f6b0aca78a0de1ddef
Instruction ID: 263394bca179bb87669cf4a8867a40b0cb4bca0b3b1725ebd4d6ed1e022b8058
Opcode Fuzzy Hash: f50057c8dd469c3f0289662d041de5b31947fbab774378f6b0aca78a0de1ddef
Instruction Fuzzy Hash: 022118759006499FDB10CF9AC884BEEFBF5EB88320F14842AD454A7350D778A944CFA5

Function 072DDF50 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,072DD85F,00000000,03F561D0,030093B8,00000000,?), ref: 072DDEED

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c7f3d54bb66e4a10b4c8f60b31fe9217445a1a8f3a55c5b02e952c374b13e9ca
Instruction ID: c2efa1c2e38db39dcce80840c6c1e4dd65ec25b3a6499c57fb76b942f2d58aaf
Opcode Fuzzy Hash: c7f3d54bb66e4a10b4c8f60b31fe9217445a1a8f3a55c5b02e952c374b13e9ca
Instruction Fuzzy Hash: 6111E5B6A143599FDB14DBA9D8047DDBBB4EF88320F04803BE544E3251CB389855CBA1

Function 072D08E8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 072D0964

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 14b9d0aba012def9a652c1d12bf5a756488c3108048a4b7859148bd8782a95c5
Instruction ID: 46bbe64d7bbfa03812829001bb4d8f646ffa583ab9cbe01d0f3c5e3ddcde200d
Opcode Fuzzy Hash: 14b9d0aba012def9a652c1d12bf5a756488c3108048a4b7859148bd8782a95c5
Instruction Fuzzy Hash: D92115B2D0174A9FDB20CF9AC984BDEFBF5FB48720F14842AD458A3250D374AA44CB64

Function 071672F8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,071672E5,?,?), ref: 07167397

Memory Dump Source

Source File: 00000000.00000002.3343478380.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7160000_XWe8H4gRPb.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 7ae7a599139bcfbebfda00508772ec5f6481d6d250a025b69740efd082781354
Instruction ID: cd47c2864b84a213bedcd3b213d996d0e112287c191a0ac58c868492ad42630b
Opcode Fuzzy Hash: 7ae7a599139bcfbebfda00508772ec5f6481d6d250a025b69740efd082781354
Instruction Fuzzy Hash: 882134B690030ADFDB10CF99D884ADEBBF1BF48324F24841AE815A7350C774A951CF60

Function 02DD7400 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,02DD7A75,?,?,?), ref: 02DDAABD

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 25074b72e3980aca67aa11e76c8f66525251362e11d5be35d7208ece236fde06
Instruction ID: 56510ee9590231fe09dc4c3256a2c9299ab35efedfbf7e81500b20d875eaa7cb
Opcode Fuzzy Hash: 25074b72e3980aca67aa11e76c8f66525251362e11d5be35d7208ece236fde06
Instruction Fuzzy Hash: 9C2104B69047099FDB10CF9AD984ADEFBB5FB48314F14852EE919A7300D3B5A944CBA0

Function 02DDAA3B Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,02DD7A75,?,?,?), ref: 02DDAABD

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 7db23105e3f245c05ee43dcee1e998d18450adde1e32bf4f72e242cc2b960d1c
Instruction ID: bdcf619e6d83842640d7033b3b43e43a88c156861254985b7c4d0cebd3558607
Opcode Fuzzy Hash: 7db23105e3f245c05ee43dcee1e998d18450adde1e32bf4f72e242cc2b960d1c
Instruction Fuzzy Hash: 012113B680070A9FDB10CF9AD984ADEFBB5FB48314F14852EE419A7300C375A944CBA0

Function 072CEA30 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 072CEAA2

Memory Dump Source

Source File: 00000000.00000002.3343655712.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_XWe8H4gRPb.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e38ca9efcdb95c7d4f1b00c6e819fd6ed9341088995677f0914a01de6e6070cf
Instruction ID: 69fd0f3cba5712a8e2ed8cfe13f7db8c0ef7e5a882805bfe69ab68af0f458bd6
Opcode Fuzzy Hash: e38ca9efcdb95c7d4f1b00c6e819fd6ed9341088995677f0914a01de6e6070cf
Instruction Fuzzy Hash: 9B2113B2C0024A8FDB14CF9AC544ADEFBF5FF88320F14842AD858A3240D378A545CFA1

Function 072DA778 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,072DD7D2,00000000,00000000,03F561D0,030093B8), ref: 072DDC20

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: ccd46d1374222d73f7b46310d848d4279ba492d0fd73292c98c8ec3fbe444922
Instruction ID: 350d958e1a59650cdd9c6425ef12c8664fe7b2d45a51d942422eab28a80ddb42
Opcode Fuzzy Hash: ccd46d1374222d73f7b46310d848d4279ba492d0fd73292c98c8ec3fbe444922
Instruction Fuzzy Hash: 2A1117B59106499FDB10CF9AD584BDEFBF4FB48320F10842AE954A3241C3B8A944CFA5

Function 072DCEE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,072DD85F,00000000,03F561D0,030093B8,00000000,?), ref: 072DDEED

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a2e78c7ebd9a48f015b08f6e7d75c09b0170c036a069939cf715e6d3eac1543e
Instruction ID: f1a09312f254104ff733dcb5bce71a9676188e2be1e382699eb65bb80c1110c0
Opcode Fuzzy Hash: a2e78c7ebd9a48f015b08f6e7d75c09b0170c036a069939cf715e6d3eac1543e
Instruction Fuzzy Hash: 0B11E7B19147499FDB10DF9AD584BDEFBF4EB58310F10842AE558A3240D378A944CFA5

Function 072DDBB2 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,072DD7D2,00000000,00000000,03F561D0,030093B8), ref: 072DDC20

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 9e9e4137890e4e75ca192de5c4e9a2dda0d1e0907724c43d5897eab8cb7eb2bc
Instruction ID: 6ecd26f0cd5b268c4020a8239fccc783eeeb828d3284675c23b22b0e94da32b8
Opcode Fuzzy Hash: 9e9e4137890e4e75ca192de5c4e9a2dda0d1e0907724c43d5897eab8cb7eb2bc
Instruction Fuzzy Hash: 3E1114B6800649DFDB20CF9AD584BDEBBF4FB48320F10842AE558A7251C378A944CFA5

Function 072CEA38 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 072CEAA2

Memory Dump Source

Source File: 00000000.00000002.3343655712.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72c0000_XWe8H4gRPb.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 67d5d5cbe4c59e3e9a91b313c92bcdecfb258343fc19b35ca3a2a8cf6061e087
Instruction ID: 5118bee52ec40e9d01716f626204ca9923377a1085ea75b054d2708785f86004
Opcode Fuzzy Hash: 67d5d5cbe4c59e3e9a91b313c92bcdecfb258343fc19b35ca3a2a8cf6061e087
Instruction Fuzzy Hash: 2C11C2B6C0064A8FDB14CF9AC544A9EBBF5AB88220F14842AD859A7640D778A545CFA1

Function 072DDE82 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,072DD85F,00000000,03F561D0,030093B8,00000000,?), ref: 072DDEED

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 484cb557de07a2cda9ec04799b7fc65bba54b04714f7a05d67a15ad2801401f8
Instruction ID: 43f0a6cd252020c3d9565af188798380b10c06ac9e4aec61764b864e9654399b
Opcode Fuzzy Hash: 484cb557de07a2cda9ec04799b7fc65bba54b04714f7a05d67a15ad2801401f8
Instruction Fuzzy Hash: 291126B590074A9FDB10CF9AD984BDEFBF4FB48310F14846AE458A3241C378A544CFA1

Function 072D7840 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 072D78A5

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 503a005d4273caad3d890e862bd56179aea8807514cf09ffa2487d198c75a74a
Instruction ID: 86f9ed224b5603413bd75bb16009b9e1033db2059a3cc57a139e4210d959408f
Opcode Fuzzy Hash: 503a005d4273caad3d890e862bd56179aea8807514cf09ffa2487d198c75a74a
Instruction Fuzzy Hash: A21126B180034A9FDB10CF99C585BDEBFF4EF48320F148459D554A3241D378A544CFA1

Function 072DE34F Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,072DD917), ref: 072DE3BD

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 07c7abde367091dd00db8524cd3471958f02e2d33bf8beddb7f825374517d392
Instruction ID: 2049303203ead020d7eca8306ca95e534e78cfbc8ff989a61b2a9ff3d1206414
Opcode Fuzzy Hash: 07c7abde367091dd00db8524cd3471958f02e2d33bf8beddb7f825374517d392
Instruction Fuzzy Hash: C41129B5C087899FCB11CFAAD844ADEBFF0AF49210F1480AAD459E7652C3789545CFA1

Function 072D7848 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 072D78A5

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4631d8d162b7526586baaa9aea9ce85c627fdcaa26155c0f9c625f6141c6da43
Instruction ID: ffa255d6b02c52908308c5a68b82bd341c21e27cb04c5d61480c9b7b6f999404
Opcode Fuzzy Hash: 4631d8d162b7526586baaa9aea9ce85c627fdcaa26155c0f9c625f6141c6da43
Instruction Fuzzy Hash: 7411F5B58003499FDB10CF9AC985BDEFBF8EB48324F148469E554A3650D378A944CFA5

Function 072DE358 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,072DD917), ref: 072DE3BD

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: c846ea618734c2639df5ec3bb3c3087c17f5c1a380c6903444faba32d8c127ab
Instruction ID: b208605efa47d7b000cf3c30974919e1d892684660f3dffd78eda202379c8f02
Opcode Fuzzy Hash: c846ea618734c2639df5ec3bb3c3087c17f5c1a380c6903444faba32d8c127ab
Instruction Fuzzy Hash: 0D1113B5C047499ECB20CF9AD584BDEFBF4AF48320F10846AD459A7751C3B8A545CFA1

Function 02DDAE51 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 02DDAEB5

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1cadebad1b5b4be29b10ab671f7ad91d189338cff004f494a52b58e02df917f0
Instruction ID: 6323e011079d234972fc47d4a10206d92d7ea2756b466300f31a3b4a3ecb9361
Opcode Fuzzy Hash: 1cadebad1b5b4be29b10ab671f7ad91d189338cff004f494a52b58e02df917f0
Instruction Fuzzy Hash: D91113B59007499FDB10CF99C984BDEBBF8EB48324F108459D558A3300D375A944CFA1

Function 071336EC Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,-00000014,?), ref: 071355F5

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 92d5fccdd96b47dc840fd2be4bcdc28b1e2f774d38abe8626c2fba4d39acf875
Instruction ID: ba5c05d125fc52676d016c97ade96462e78797887aa494d22e11b770a5bb225e
Opcode Fuzzy Hash: 92d5fccdd96b47dc840fd2be4bcdc28b1e2f774d38abe8626c2fba4d39acf875
Instruction Fuzzy Hash: D41125B5800349DFDB20CF99D584BDEBBF8EB48720F10841AE918A7340C3B4A954CFA1

Function 072DCF1C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,072DD917), ref: 072DE3BD

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d6305d9cbd602eb05c92ef25b4be37d4c917b4c8296e27e87037639a8b3da802
Instruction ID: 9afbb58209fd11aa71fc29e4e1ae114645ba03f9bcd921d1cdf384f2a7242cb6
Opcode Fuzzy Hash: d6305d9cbd602eb05c92ef25b4be37d4c917b4c8296e27e87037639a8b3da802
Instruction Fuzzy Hash: 9A1102B5C046498FCB20DF9AD444BAEBBF4EB48210F108469E519A7200D3B8A940CFA5

Function 072D0E93 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 072D0EF5

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9ddb40e8eb0e5390067fb4e94602278cd7caeb5b28098debeea94320a9927bb5
Instruction ID: a41a33b41ea7545c7281ba246aaa97adb34cc1b1a242a7200053643ef1b3d6b0
Opcode Fuzzy Hash: 9ddb40e8eb0e5390067fb4e94602278cd7caeb5b28098debeea94320a9927bb5
Instruction Fuzzy Hash: 9211F2B58003499FDB20CF99C585BDEBBF8EB48320F20845AD958A7610C375A944CFA1

Function 072D0E98 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 072D0EF5

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 762458827db6c9930a72d46d4468747eb3482b1c20c2c41a544371a996428a7d
Instruction ID: 687277d3ba3c012478e886167d15f2907fa3ce3683503f76abd1847a2619f497
Opcode Fuzzy Hash: 762458827db6c9930a72d46d4468747eb3482b1c20c2c41a544371a996428a7d
Instruction Fuzzy Hash: BB11C2B58003499FDB20CF9AC585BDEBBF8EB48324F208459D558A7650C375A944CFA5

Function 0895985A Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 089598BD

Memory Dump Source

Source File: 00000000.00000002.3343869907.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_XWe8H4gRPb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 38e4416a08a7a4cb6741a483768709c837417b0688fb2c462e3cdbfcd907d7ef
Instruction ID: 5557a64fb0dbf12d9e3607f08b16195c58631ad383f03f51ee06577eb9d6d981
Opcode Fuzzy Hash: 38e4416a08a7a4cb6741a483768709c837417b0688fb2c462e3cdbfcd907d7ef
Instruction Fuzzy Hash: 9B111DB1C007498FDB20DF9AE444B8EBBF4EB48324F10846AD919A7210D378A544CFA5

Function 02DDAE58 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 02DDAEB5

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 928b3432f0d55f66be5e83d0043791e960274ba6a2c17d2482f782d1b24a3741
Instruction ID: 992c4d0b0419be3336bb2c589875eac003fa29b76ba9af9ffc42c4e390507134
Opcode Fuzzy Hash: 928b3432f0d55f66be5e83d0043791e960274ba6a2c17d2482f782d1b24a3741
Instruction Fuzzy Hash: 8511C2B59007499FDB20CF9AC985BDEBBF8EB48324F10845AD558A7700C375A954CFA1

Function 08959860 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 089598BD

Memory Dump Source

Source File: 00000000.00000002.3343869907.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8950000_XWe8H4gRPb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 7070d2442486d98df717abb4d16de7bc3f1b5ed4389be8fbdd3e10aa992bd1f4
Instruction ID: a039a9c8b1e7bf7924b3241a1ccf126f3c8bb3369c7f461ea022f92164598fae
Opcode Fuzzy Hash: 7070d2442486d98df717abb4d16de7bc3f1b5ed4389be8fbdd3e10aa992bd1f4
Instruction Fuzzy Hash: 7C11FBB1C00749CFDB20DF9AE584B8EFBF8EB48324F10842AD919A3200D378A544CFA5

Function 072DDF32 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,072DD85F,00000000,03F561D0,030093B8,00000000,?), ref: 072DDEED

Memory Dump Source

Source File: 00000000.00000002.3343680750.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72d0000_XWe8H4gRPb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 26317dd9082eddd043e9d9c8b690fff79e8f54682513ffa1242cbf3e39a72e79
Instruction ID: 8744c2698c904cac2fa4858f6ebd2b88428d04de8ad67e50b32fb9a441bb4f97
Opcode Fuzzy Hash: 26317dd9082eddd043e9d9c8b690fff79e8f54682513ffa1242cbf3e39a72e79
Instruction Fuzzy Hash: 3D01F4B292478A8EDB119BA9D8043EDFFF49F59224F14848BD04497192C37C4949CF62

Function 0128D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340256989.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9b621ed6d8330e287deaa87a9ff16b0f90c70d22b4b5fe51293d6641f7e61d
Instruction ID: b8031ee13c2e180a89571756b95d071ff8863fc88726100ea8cb30241be67f96
Opcode Fuzzy Hash: 9b9b621ed6d8330e287deaa87a9ff16b0f90c70d22b4b5fe51293d6641f7e61d
Instruction Fuzzy Hash: 52213871514209DFDB15EF48E5C0B26BF61FB84314F20C16DDA090A2D6C37AD419CAB1

Function 014DD2E8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340766952.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6444b7402089661802b2f8e30bf68962e6e54e6bf991bc92577984a70d1361c8
Instruction ID: 70901dd16c7c17be9549947fda20da52475b469342e5e3ca77c00e910c8b37d3
Opcode Fuzzy Hash: 6444b7402089661802b2f8e30bf68962e6e54e6bf991bc92577984a70d1361c8
Instruction Fuzzy Hash: 852134B5A04300EFDF05CF94D9D0B26BBA5FB84314F20C56ED9094B3A6CB76D446CAA1

Function 014DD130 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340766952.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605038a8a55faaa6d3b5fd61d69fcb0b42043dcf5294f5b80b983c2655976fe3
Instruction ID: 8f9e30e0982a2687aab020676c9d16cb0d9a65c070ffb9c239ffa0a0c2c879b4
Opcode Fuzzy Hash: 605038a8a55faaa6d3b5fd61d69fcb0b42043dcf5294f5b80b983c2655976fe3
Instruction Fuzzy Hash: B4213775A04204EFDF05DFA4D9D0B2ABB61FB84314F24C56ED90A0B3A2C376D446CA61

Function 0128D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340256989.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 6f2bf1b4b2146e8dbf93eae91b4b46e063f2f96e6b88c39fde8ba3c3586e9c54
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: D51103B6404284CFCB12DF44D5C0B16BF72FB84324F24C1AAD9090B2A7C33AD45ACBA2

Function 014DD12B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340766952.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: a9f416e04b9a93c51cc33a4647124e94009bc6800ee4f2041d5753b674672f5c
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 1811BE75904284CFDB06CF64D5D4B1ABF61FB44314F24C6AAD8494B7A6C33AD44ACB51

Function 014DD2E3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340766952.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 3b819374078509913b54556a768f47b8e0a0035056f83687c648401abcc73050
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 4011DD75904280CFCB02CF54D5D4B1ABFA1FB84314F28C6AAD8094B7A7C33AD45ACBA1

Function 0128D785 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340256989.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc50980f6bebec272cd19c7b9f7bb8776e0da0721b700fe3094416116ec7a425
Instruction ID: 45b3b4301c23daf9b9afe7c07a2dd038134cbdafe828d5097173b142aefdf052
Opcode Fuzzy Hash: bc50980f6bebec272cd19c7b9f7bb8776e0da0721b700fe3094416116ec7a425
Instruction Fuzzy Hash: A101F7710163C89AF7247EA9CD84B26BF98EF41624F08C45AEF085A1C6C6B89444C671

Function 0128D784 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340256989.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d880dee8d7abc6cccd59cab89fe2c4c0719669a5ed1d6fcb360cfe960b75a3ae
Instruction ID: 34e0b431360e8323d9406dc5b547665878dfc716ff7be3c7e0d6f25d83d18352
Opcode Fuzzy Hash: d880dee8d7abc6cccd59cab89fe2c4c0719669a5ed1d6fcb360cfe960b75a3ae
Instruction Fuzzy Hash: F3F0F6724053889EE7249E5ACDC4B62FFA8EB81634F18C05AEE084F2C7C3789844CB71

Non-executed Functions

Function 02DD9498 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa0f143ffe291e45f700d072865feca64f505b527feb6ccd758de277c4690a9
Instruction ID: 8c187b760f6aae1f65e5d03542616de828149fa9304a0e804ba0ccf453b3a545
Opcode Fuzzy Hash: 2aa0f143ffe291e45f700d072865feca64f505b527feb6ccd758de277c4690a9
Instruction Fuzzy Hash: B712A5B05227458BF759DF25E84E1C9BFB6B781318F908709E2616B2E1EFB4114ACF44

Function 07133454 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3343432039.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09abe8ce172e36632b944dc1221dd917022817751ebc4ba08b6bb2cdd56a6505
Instruction ID: 886ab4ec91769c6f0f0841e8cb83aa20a9e95611daebdd7e2c26427453af200d
Opcode Fuzzy Hash: 09abe8ce172e36632b944dc1221dd917022817751ebc4ba08b6bb2cdd56a6505
Instruction Fuzzy Hash: 00A18272E1021ACFCF0ADFB4C8445DEBBB2FF84300B15856AE815AB295DB75E945CB44

Function 02DD948B Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3341035445.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dd0000_XWe8H4gRPb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8417400c42289a84311591be923d622a1d05ce7974009931faa17f4c2b64ca79
Instruction ID: bb83e0b8b2a88b5fb6a1355a8785ba8445e236c4e6a0bc69322c883a422c165a
Opcode Fuzzy Hash: 8417400c42289a84311591be923d622a1d05ce7974009931faa17f4c2b64ca79
Instruction Fuzzy Hash: 98C127B05227458BF759DF28E84E1C9BFB6BB85324F508709E2616B2E1EFB4144ACF44

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XWe8H4gRPb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
XWe8H4gRPb.exe

Function 0713AD8A Relevance: 31.4, Strings: 24, Instructions: 1413
COMMON

Function 0713AD98 Relevance: 31.4, Strings: 24, Instructions: 1408
COMMON

Function 08952908 Relevance: 1.9, Strings: 1, Instructions: 693
COMMON

Function 089528F8 Relevance: 1.7, Strings: 1, Instructions: 454
COMMON

Function 07130040 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 07168620 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 07135347 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Function 071336B0 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 072DE3E8 Relevance: 1.6, APIs: 1, Instructions: 101
windowCOMMON

Function 02DDB494 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 07133804 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 02DDA32C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07165C48 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Function 0713555B Relevance: 1.6, APIs: 1, Instructions: 77
COMMON