Edit tour

Windows Analysis Report
remover.exe

Overview

General Information

Sample name:remover.exe
Analysis ID:1643247
MD5:832e3ac5462158c38460b0f7e4496b18
SHA1:e609c94be05236b2e204eede3c19557607c63a9c
SHA256:98f65823ee47007d5c436c7615cca74b6aaef450f438b2464b5c3a6b9faeaf01
Tags:exeuser-cuddly59539083
Infos:

Detection

Score:80
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • remover.exe (PID: 7800 cmdline: "C:\Users\user\Desktop\remover.exe" MD5: 832E3AC5462158C38460B0F7E4496B18)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: remover.exeAvira: detected
Source: remover.exeVirustotal: Detection: 32%Perma Link
Source: remover.exeReversingLabs: Detection: 30%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: remover.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Downloads\SharpDX-3.1.0\SharpDX-3.1.0\Source\NET35\SharpDX\bin\Release\SharpDX.pdb source: remover.exe, SharpDX.dll.0.dr
Source: Binary string: D:\Downloads\SharpDX-3.1.0\SharpDX-3.1.0\Source\NET35\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdb8 source: remover.exe, SharpDX.DXGI.dll.0.dr
Source: Binary string: D:\Downloads\SharpDX-3.1.0\SharpDX-3.1.0\Source\NET35\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdb source: remover.exe, SharpDX.DXGI.dll.0.dr
Source: Binary string: D:\Downloads\desktop-duplication-net-master\desktop-duplication-net-master\libs\SharpDX.Direct3D11.pdb source: remover.exe, SharpDX.Direct3D11.dll.0.dr
Source: Binary string: D:\Downloads\desktop-duplication-net-master\desktop-duplication-net-master\libs\SharpDX.Direct3D11.pdb T source: remover.exe, SharpDX.Direct3D11.dll.0.dr
Source: global trafficTCP traffic: 192.168.2.4:49719 -> 147.185.221.27:4305
Source: global trafficHTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: unknownDNS query: name: ip-api.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: then-amanda.gl.at.ply.gg
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: remover.exeString found in binary or memory: http://ip-api.com/xml/?fields=countryCode
Source: remover.exe, 00000000.00000002.3610786669.0000015780001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: remover.exe, 00000000.00000002.3610786669.0000015780001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/VT.Control.Client.Classes
Source: remover.exe, 00000000.00000002.3610786669.0000015780061000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: remover.exe, Display.cs.Net Code: Capture
Source: remover.exe, KeyLoggerService.cs.Net Code: KeyboardLayout
Source: C:\Users\user\Desktop\remover.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\remover.exeJump to behavior
Source: C:\Users\user\Desktop\remover.exeFile created: C:\Users\user\AppData\Local\Temp\TmpAB93.tmpJump to dropped file
Source: C:\Users\user\Desktop\remover.exeFile created: C:\Users\user\AppData\Local\Temp\TmpABA4.tmpJump to dropped file
Source: C:\Users\user\Desktop\remover.exeProcess Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC8E5020_2_00007FFC3DC8E502
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC8D7560_2_00007FFC3DC8D756
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC8A15D0_2_00007FFC3DC8A15D
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC8BF2D0_2_00007FFC3DC8BF2D
Source: remover.exe, 00000000.00000000.1166940743.00000157EF082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSharpDX.dll0 vs remover.exe
Source: remover.exe, 00000000.00000000.1166940743.00000157EF082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSharpDX.DXGI.dll: vs remover.exe
Source: remover.exe, 00000000.00000000.1166940743.00000157EF082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSharpDX.Direct3D11.dllF vs remover.exe
Source: remover.exe, 00000000.00000000.1166940743.00000157EF082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVT Control Client.exeD vs remover.exe
Source: remover.exe, 00000000.00000002.3612240372.000001579000B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSharpDX.dll0 vs remover.exe
Source: remover.exe, 00000000.00000002.3612240372.000001579000B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSharpDX.Direct3D11.dllF vs remover.exe
Source: remover.exe, 00000000.00000002.3612240372.000001579000B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSharpDX.DXGI.dll: vs remover.exe
Source: remover.exeBinary or memory string: OriginalFilenameSharpDX.dll0 vs remover.exe
Source: remover.exeBinary or memory string: OriginalFilenameSharpDX.DXGI.dll: vs remover.exe
Source: remover.exeBinary or memory string: OriginalFilenameSharpDX.Direct3D11.dllF vs remover.exe
Source: remover.exeBinary or memory string: OriginalFilenameVT Control Client.exeD vs remover.exe
Source: remover.exe, HiddenVNCService.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: remover.exe, HiddenVNCService.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: remover.exe, Terminal.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: remover.exe, Terminal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: remover.exe, ClientManagement.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: remover.exe, ClientManagement.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engineClassification label: mal80.spyw.evad.winEXE@1/5@2/2
Source: C:\Users\user\Desktop\remover.exeMutant created: NULL
Source: C:\Users\user\Desktop\remover.exeMutant created: \Sessions\1\BaseNamedObjects\VT_Control_Thread_EZTKoffHHnTqEEfcBR4zCVFC
Source: C:\Users\user\Desktop\remover.exeFile created: C:\Users\user\AppData\Local\Temp\TmpAB93.tmpJump to behavior
Source: remover.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: remover.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\remover.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: remover.exeVirustotal: Detection: 32%
Source: remover.exeReversingLabs: Detection: 30%
Source: remover.exeString found in binary or memory: $43bebd4e-add5-4035-8f85-5608d08e9dc9
Source: remover.exeString found in binary or memory: IF294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: remover.exeString found in binary or memory: {0:0.##} {1}!/load-hidden-vnc
Source: remover.exeString found in binary or memory: )/load-remote-desktop
Source: remover.exeString found in binary or memory: '/load-remote-camera
Source: remover.exeString found in binary or memory: !/load-microphone
Source: remover.exeString found in binary or memory: %/load-task-manager
Source: remover.exeString found in binary or memory: #/load-connections
Source: remover.exeString found in binary or memory: %/load-file-manager
Source: remover.exeString found in binary or memory: #/load-information
Source: remover.exeString found in binary or memory: )/load-active-windows
Source: remover.exeString found in binary or memory: %/load-net-compiler
Source: remover.exeString found in binary or memory: /load-keylogger
Source: remover.exeString found in binary or memory: /load-clipboard
Source: remover.exeString found in binary or memory: /load-services
Source: remover.exeString found in binary or memory: +/load-registry-editor
Source: remover.exeString found in binary or memory: !/load-downloader
Source: remover.exeString found in binary or memory: /load-terminal
Source: remover.exeString found in binary or memory: '/load-audio-capture
Source: remover.exeString found in binary or memory: /load-plugin
Source: remover.exeString found in binary or memory: /stop-service
Source: remover.exeString found in binary or memory: /stop-service
Source: remover.exeString found in binary or memory: /stop-capturing
Source: remover.exeString found in binary or memory: /stop-capturing
Source: remover.exeString found in binary or memory: /load-file-text
Source: remover.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: remover.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
Source: C:\Users\user\Desktop\remover.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: msisip.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: wshext.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: esdsip.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: ncryptprov.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\remover.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\remover.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: remover.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: remover.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: remover.exeStatic file information: File size 1352192 > 1048576
Source: remover.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x149800
Source: remover.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Downloads\SharpDX-3.1.0\SharpDX-3.1.0\Source\NET35\SharpDX\bin\Release\SharpDX.pdb source: remover.exe, SharpDX.dll.0.dr
Source: Binary string: D:\Downloads\SharpDX-3.1.0\SharpDX-3.1.0\Source\NET35\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdb8 source: remover.exe, SharpDX.DXGI.dll.0.dr
Source: Binary string: D:\Downloads\SharpDX-3.1.0\SharpDX-3.1.0\Source\NET35\SharpDX.DXGI\bin\Release\SharpDX.DXGI.pdb source: remover.exe, SharpDX.DXGI.dll.0.dr
Source: Binary string: D:\Downloads\desktop-duplication-net-master\desktop-duplication-net-master\libs\SharpDX.Direct3D11.pdb source: remover.exe, SharpDX.Direct3D11.dll.0.dr
Source: Binary string: D:\Downloads\desktop-duplication-net-master\desktop-duplication-net-master\libs\SharpDX.Direct3D11.pdb T source: remover.exe, SharpDX.Direct3D11.dll.0.dr

Data Obfuscation

barindex
Source: remover.exe, PluginLoader.cs.Net Code: Load System.Reflection.Assembly.Load(byte[])
Source: remover.exe, PluginLoader.cs.Net Code: Load
Source: remover.exe, Compiler.cs.Net Code: Compile
Source: remover.exeStatic PE information: 0x8AFAAF06 [Sat Nov 21 02:10:14 2043 UTC]
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC88118 push ebx; ret 0_2_00007FFC3DC8816A
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC87C5E push eax; retf 0_2_00007FFC3DC87C6D
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC87C2E pushad ; retf 0_2_00007FFC3DC87C5D
Source: C:\Users\user\Desktop\remover.exeCode function: 0_2_00007FFC3DC88F6A push ds; ret 0_2_00007FFC3DC891F7
Source: C:\Users\user\Desktop\remover.exeFile created: C:\Users\user\AppData\Local\Temp\SharpDX.Direct3D11.dllJump to dropped file
Source: C:\Users\user\Desktop\remover.exeFile created: C:\Users\user\AppData\Local\Temp\SharpDX.DXGI.dllJump to dropped file
Source: C:\Users\user\Desktop\remover.exeFile created: C:\Users\user\AppData\Local\Temp\SharpDX.dllJump to dropped file
Source: C:\Users\user\Desktop\remover.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\remover.exeMemory allocated: 157EF410000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\remover.exeMemory allocated: 157F0E60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\remover.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SharpDX.Direct3D11.dllJump to dropped file
Source: C:\Users\user\Desktop\remover.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SharpDX.DXGI.dllJump to dropped file
Source: C:\Users\user\Desktop\remover.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SharpDX.dllJump to dropped file
Source: remover.exe, SharpDX.dll.0.drBinary or memory string: ClusterResourceIsReplicaVirtualMachine
Source: remover.exe, 00000000.00000002.3613773231.00000157F1630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\remover.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\remover.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: remover.exe, KeyLoggerService.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: remover.exe, AcmDriver.csReference to suspicious API methods: NativeMethods.LoadLibrary(driverFile)
Source: remover.exe, AcmDriver.csReference to suspicious API methods: NativeMethods.GetProcAddress(intPtr, "DriverProc")
Source: C:\Users\user\Desktop\remover.exeQueries volume information: C:\Users\user\Desktop\remover.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\remover.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\remover.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\remover.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
21
Input Capture
1
Query Registry
Remote Services1
Screen Capture
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools
LSASS Memory1
Security Software Discovery
Remote Desktop Protocol21
Input Capture
1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin Shares1
Archive Collected Data
1
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing
NTDS1
System Network Configuration Discovery
Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp
LSA Secrets12
System Information Discovery
SSHKeylogging2
Application Layer Protocol
Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643247 Sample: remover.exe Startdate: 19/03/2025 Architecture: WINDOWS Score: 80 17 then-amanda.gl.at.ply.gg 2->17 19 ip-api.com 2->19 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 .NET source code contains potential unpacker 2->29 31 4 other signatures 2->31 6 remover.exe 14 7 2->6         started        signatures3 process4 dnsIp5 21 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 6->21 23 then-amanda.gl.at.ply.gg 147.185.221.27, 4305, 49719 SALSGIVERUS United States 6->23 11 C:\Users\user\AppData\Local\...\SharpDX.dll, PE32 6->11 dropped 13 C:\Users\user\...\SharpDX.Direct3D11.dll, PE32 6->13 dropped 15 C:\Users\user\AppData\...\SharpDX.DXGI.dll, PE32 6->15 dropped 33 Installs a global keyboard hook 6->33 file6 signatures7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
remover.exe33%VirustotalBrowse
remover.exe31%ReversingLabsByteCode-MSIL.Trojan.Zilla
remover.exe100%AviraTR/Dropper.Gen
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\SharpDX.DXGI.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\SharpDX.Direct3D11.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\SharpDX.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://schemas.datacontract.org/2004/07/VT.Control.Client.Classes0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
then-amanda.gl.at.ply.gg
147.185.221.27
truefalse
    unknown
    ip-api.com
    208.95.112.1
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://ip-api.com/xml/?fields=countryCode,queryfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        http://ip-api.com/xml/?fields=countryCoderemover.exefalse
          high
          http://schemas.datacontract.org/2004/07/remover.exe, 00000000.00000002.3610786669.0000015780001000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameremover.exe, 00000000.00000002.3610786669.0000015780061000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://schemas.datacontract.org/2004/07/VT.Control.Client.Classesremover.exe, 00000000.00000002.3610786669.0000015780001000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              208.95.112.1
              ip-api.comUnited States
              53334TUT-ASUSfalse
              147.185.221.27
              then-amanda.gl.at.ply.ggUnited States
              12087SALSGIVERUSfalse
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1643247
              Start date and time:2025-03-19 17:15:16 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 22s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:12
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:remover.exe
              Detection:MAL
              Classification:mal80.spyw.evad.winEXE@1/5@2/2
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 4
              • Number of non-executed functions: 2
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56
              • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              No simulations
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              208.95.112.1doc20250319-00712.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              • ip-api.com/line/?fields=hosting
              IMG79287555883457729.jpg.exeGet hashmaliciousGuLoaderBrowse
              • ip-api.com/line/?fields=hosting
              IMG79287555883457729.jpg.exeGet hashmaliciousGuLoaderBrowse
              • ip-api.com/line/?fields=hosting
              MUKK.ps1Get hashmaliciousAgentTeslaBrowse
              • ip-api.com/line/?fields=hosting
              believe.ps1Get hashmaliciousAgentTeslaBrowse
              • ip-api.com/line/?fields=hosting
              VIK.ps1.vir.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • ip-api.com/line/?fields=hosting
              devil.ps1.vir.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • ip-api.com/line/?fields=hosting
              money.ps1.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • ip-api.com/line/?fields=hosting
              roblox.exe.bin.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
              • ip-api.com/json/?fields=225545
              rostestcheat.exe.bin.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
              • ip-api.com/json/?fields=225545
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ip-api.comdoc20250319-00712.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 208.95.112.1
              IMG79287555883457729.jpg.exeGet hashmaliciousGuLoaderBrowse
              • 208.95.112.1
              IMG79287555883457729.jpg.exeGet hashmaliciousGuLoaderBrowse
              • 208.95.112.1
              MUKK.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              believe.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              VIK.ps1.vir.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              devil.ps1.vir.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              money.ps1.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              roblox.exe.bin.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
              • 208.95.112.1
              rostestcheat.exe.bin.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
              • 208.95.112.1
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              SALSGIVERUS45.exe.bin.exeGet hashmaliciousNjratBrowse
              • 147.185.221.26
              hoho.m68k.elfGet hashmaliciousUnknownBrowse
              • 147.168.203.72
              FortVIP.batGet hashmaliciousUnknownBrowse
              • 147.185.221.22
              sryxen-built.exeGet hashmaliciousUnknownBrowse
              • 147.185.221.26
              XWCTtOuD5e.exeGet hashmaliciousPython Stealer, Exela Stealer, NjratBrowse
              • 147.185.221.26
              Planck Scale Lantern.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
              • 147.185.221.17
              Installer.exeGet hashmaliciousXWormBrowse
              • 147.185.221.26
              ExLoader_Installer.exeGet hashmaliciousPython Stealer, Blank Grabber, Umbral Stealer, XWormBrowse
              • 147.185.221.26
              MEMESENSE.exeGet hashmaliciousXWormBrowse
              • 147.185.221.25
              Output.exeGet hashmaliciousXWormBrowse
              • 147.185.221.26
              TUT-ASUSdoc20250319-00712.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 208.95.112.1
              IMG79287555883457729.jpg.exeGet hashmaliciousGuLoaderBrowse
              • 208.95.112.1
              IMG79287555883457729.jpg.exeGet hashmaliciousGuLoaderBrowse
              • 208.95.112.1
              MUKK.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              believe.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              VIK.ps1.vir.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              devil.ps1.vir.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              money.ps1.txt.ps1Get hashmaliciousAgentTeslaBrowse
              • 208.95.112.1
              roblox.exe.bin.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
              • 208.95.112.1
              rostestcheat.exe.bin.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
              • 208.95.112.1
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\SharpDX.DXGI.dllActivator.exeGet hashmaliciousUnknownBrowse
                MSBuild.exeGet hashmaliciousUnknownBrowse
                  MSBuild.exeGet hashmaliciousUnknownBrowse
                    CheatHubLauncher.exeGet hashmaliciousOrcusBrowse
                      Abboba.exeGet hashmaliciousOrcusBrowse
                        C:\Users\user\AppData\Local\Temp\SharpDX.Direct3D11.dllActivator.exeGet hashmaliciousUnknownBrowse
                          MSBuild.exeGet hashmaliciousUnknownBrowse
                            MSBuild.exeGet hashmaliciousUnknownBrowse
                              CheatHubLauncher.exeGet hashmaliciousOrcusBrowse
                                Abboba.exeGet hashmaliciousOrcusBrowse
                                  Process:C:\Users\user\Desktop\remover.exe
                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):128512
                                  Entropy (8bit):5.974873724347634
                                  Encrypted:false
                                  SSDEEP:1536:taSL4xpOaI0PXSgMkPXsHIrPQkrNCivO5Ib6VU3x8w85SMxcnqNojG5JW/UlibAs:taSLYpfI0fTtP8HIbQkreK
                                  MD5:2B44C70C49B70D797FBB748158B5D9BB
                                  SHA1:93E00E6527E461C45C7868D14CF05C007E478081
                                  SHA-256:3762D43C83AF69CD38C9341A927CA6BD00F6BAE8217C874D693047D6DF4705BF
                                  SHA-512:FACED62F6ECBFA2EE0D7A47E300302D23030D1F28758CBE9C442E9D8D4F8359C59088AA6237A28103E43D248C8EFC7EEAF2C184028701B752DF6CCE92D6854D0
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Joe Sandbox View:
                                  • Filename: Activator.exe, Detection: malicious, Browse
                                  • Filename: MSBuild.exe, Detection: malicious, Browse
                                  • Filename: MSBuild.exe, Detection: malicious, Browse
                                  • Filename: CheatHubLauncher.exe, Detection: malicious, Browse
                                  • Filename: Abboba.exe, Detection: malicious, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".EX...........!................^.... ........@.. .......................`............@.....................................K.... .......................@......|................................................ ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................@.......H........y..............................................................(....*..0..8.......s.......o......(....~*...(....(....-..,...o....+..o....*.0..............(....*...0................(......(....*.J......(.....(....*..0............(.....(.......(....*...0..............(.......(.....*..0..-.............(....~*...(....(....-..,..o......X.+..*..."..($...*...Z.~....(....-..s....*.*..0.............(.....*...0..E.......~......{.........{....M........ZXM)....(......~....(....
                                  Process:C:\Users\user\Desktop\remover.exe
                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):278016
                                  Entropy (8bit):5.936561200969171
                                  Encrypted:false
                                  SSDEEP:3072:6ccUvNf/AThDrcfiSDt0XN3ZDoyz91Sy0KwbwgG5OHDyGQsnHZ09K3vJqlQ1VcTS:zRfi+SmNgOHDyGQsucvJqW6Ts4dDjJZ
                                  MD5:98EB5BA5871ACDEAEBF3A3B0F64BE449
                                  SHA1:C965284F60EF789B00B10B3DF60EE682B4497DE3
                                  SHA-256:D7617D926648849CBFEF450B8F48E458EE52E2793FB2251A30094B778AA8848C
                                  SHA-512:A60025E304713D333E4B82B2D0BE28087950688B049C98D2DB5910C00B8D45B92E16D25AC8A58FF1318DE019DE3A9A00C7CBF8A6AD4B5BB1CB175DAFA1B9BEA2
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Joe Sandbox View:
                                  • Filename: Activator.exe, Detection: malicious, Browse
                                  • Filename: MSBuild.exe, Detection: malicious, Browse
                                  • Filename: MSBuild.exe, Detection: malicious, Browse
                                  • Filename: CheatHubLauncher.exe, Detection: malicious, Browse
                                  • Filename: Abboba.exe, Detection: malicious, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....EX...........!.....6..........NT... ........@.. ....................................@..................................S..S....`..............................\S............................................... ............... ..H............text...T4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B................0T......H.......h....?...........................................................(r...*...(....*V.~....(........o....*.."..(....*...Z.~....(....-..s....*.*..0.............(.....*...0..8................{........{....M........ZXM)..............(....*V.~....(........o....*.."..(....*...Z.~....(....-..s....*.*..0.............(.....*...0..8................{........{....M........ZXM)..............(....*.0.....................(....}.......(....}........(.......+r..."....(....}......."....}.
                                  Process:C:\Users\user\Desktop\remover.exe
                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):252928
                                  Entropy (8bit):6.009569774467475
                                  Encrypted:false
                                  SSDEEP:6144:/yx2FKVw+6LRnencMdWqtFhdpGFfnbJoeeYr:6w+Ienc1qf6bJrd
                                  MD5:FFB4B61CC11BEC6D48226027C2C26704
                                  SHA1:FA8B9E344ACCBDC4DFFA9B5D821D23F0716DA29E
                                  SHA-256:061542FF3FB36039B7BBFFDF3E07B66176B264C1DFD834A14B09C08620717303
                                  SHA-512:48AA6130BF1F5BD6DE19256BBDF754C0158B43DD122CEC47BB801A7A7B56F2DA268BFDEC24D135621764A23278EAD3DCC35911A057E2DFA55A348BAE8EF7B8A9
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...DjDX...........!................N.... ........@.. .......................@............@.....................................W............................ ......h................................................ ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H...........dP...........................................................(....(....*..(....*.0.. ........,....o....,..o....o......o....*..{....*"..}....*.....(....*.0..[........(......}.....~....}.....{....,:..i........}......(...+Z..(....}......+......(......X...2.*...(...........}......(...+Z..(....}....*..{....*N.{....,..{.....i*.*&.{......*....{.........{....(............ZXMoP...*...{........{....(............ZX.oO....*...,...}.....{....(.....~....}....*..2.{....o....*...
                                  Process:C:\Users\user\Desktop\remover.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):2422
                                  Entropy (8bit):7.832922049963086
                                  Encrypted:false
                                  SSDEEP:48:ePNlqTcq1ZMemaeWJJtlgGdYu/mwLHQHOjKVgFArOSi4:eFMTc6Me4WJjltd/wA1SV
                                  MD5:AA977A186DF6BF03B9E07E2F5E03199B
                                  SHA1:83472F5367F2BDBD36369E207C2BDBAFB8AAE0D1
                                  SHA-256:7EF1AE410CCC5E3A58171E2BDD83B0A24595483344677B342741E5DEC5BFF06C
                                  SHA-512:D26C1DD22F762CF51032F087B91D63772002755FE327EE80416C3FB83758B9111C5F0F09F2DD82E073CFD70D8DC64DFB16C90A4B55F8ED5F1FFDFA29E6AC58C2
                                  Malicious:false
                                  Reputation:low
                                  Preview:0..r...0.....*.H..............0...0.....*.H.............}0..y0..u..*.H............0...0...*.H.......0....3xq...-..........%.....].?2.E..xHF.....$..2*.x.y..Q....h.".0.*..}.M......M..[..M(J).M...g...&n<[..l[a.....,6K.E.P,.~.2.au..B) h.sh..V.......|.W.....8..@."..bJ..$..;.p........(.$...p...x.........lD....n.E..p...%.ZV...!xs'.j....2..Pi.a.T.1..w.\TG.9...J..r.?._.t.8.RE...\..p.<IJT.PdS..}w.!..B.j..l.XI).P.a..'<....k.U.E.#I.^.c#.@..(O.[.JM..Qq.w...{ .sP;./..J*]....1.4.q.2.....eU._H.l9..b..<...M.=.xW.u..Q.d.5.H0<.Ka...."._...,....$...:s.d......Q...~..Q.+.q=...M.m.....h.r..,..t0P...:.T...m~...)..K :.`.|q..1!.P....\..2O'}.acG\..).[.....V.0...[..x..*.0Zj..2 ..~].g...z. .p...%...r...|r..3F_..P.r*..x..z. .!...........j.....?.=.k.3....w\ ...CQ.{..*.".....dU*.j..-..K.L........FP.U.....%.".A.RI..F...{.H-;.];.g..xP...~.*......D?.AH7).._.N?:._8.C..a`......=.w.8......;..^.?G.....o1...Y.....n........(..3.vY....-p[:.....A.)xx:f.H.h)2,^7b_ .|...Q........>.u.
                                  Process:C:\Users\user\Desktop\remover.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):2422
                                  Entropy (8bit):7.832922049963086
                                  Encrypted:false
                                  SSDEEP:48:ePNlqTcq1ZMemaeWJJtlgGdYu/mwLHQHOjKVgFArOSi4:eFMTc6Me4WJjltd/wA1SV
                                  MD5:AA977A186DF6BF03B9E07E2F5E03199B
                                  SHA1:83472F5367F2BDBD36369E207C2BDBAFB8AAE0D1
                                  SHA-256:7EF1AE410CCC5E3A58171E2BDD83B0A24595483344677B342741E5DEC5BFF06C
                                  SHA-512:D26C1DD22F762CF51032F087B91D63772002755FE327EE80416C3FB83758B9111C5F0F09F2DD82E073CFD70D8DC64DFB16C90A4B55F8ED5F1FFDFA29E6AC58C2
                                  Malicious:false
                                  Reputation:low
                                  Preview:0..r...0.....*.H..............0...0.....*.H.............}0..y0..u..*.H............0...0...*.H.......0....3xq...-..........%.....].?2.E..xHF.....$..2*.x.y..Q....h.".0.*..}.M......M..[..M(J).M...g...&n<[..l[a.....,6K.E.P,.~.2.au..B) h.sh..V.......|.W.....8..@."..bJ..$..;.p........(.$...p...x.........lD....n.E..p...%.ZV...!xs'.j....2..Pi.a.T.1..w.\TG.9...J..r.?._.t.8.RE...\..p.<IJT.PdS..}w.!..B.j..l.XI).P.a..'<....k.U.E.#I.^.c#.@..(O.[.JM..Qq.w...{ .sP;./..J*]....1.4.q.2.....eU._H.l9..b..<...M.=.xW.u..Q.d.5.H0<.Ka...."._...,....$...:s.d......Q...~..Q.+.q=...M.m.....h.r..,..t0P...:.T...m~...)..K :.`.|q..1!.P....\..2O'}.acG\..).[.....V.0...[..x..*.0Zj..2 ..~].g...z. .p...%...r...|r..3F_..P.r*..x..z. .!...........j.....?.=.k.3....w\ ...CQ.{..*.".....dU*.j..-..K.L........FP.U.....%.".A.RI..F...{.H-;.];.g..xP...~.*......D?.AH7).._.N?:._8.C..a`......=.w.8......;..^.?G.....o1...Y.....n........(..3.vY....-p[:.....A.)xx:f.H.h)2,^7b_ .|...Q........>.u.
                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):6.086581572371092
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:remover.exe
                                  File size:1'352'192 bytes
                                  MD5:832e3ac5462158c38460b0f7e4496b18
                                  SHA1:e609c94be05236b2e204eede3c19557607c63a9c
                                  SHA256:98f65823ee47007d5c436c7615cca74b6aaef450f438b2464b5c3a6b9faeaf01
                                  SHA512:20409c45c1344807bebd64b8d9c21ad30092769ad1f9bbaf4a28793033a48aa539e336c264e88bd8f83b10453f6d135b653fc658f83ffee18bd1bda562f1bc47
                                  SSDEEP:24576:DBDJ6irZnEY659Mvz5cg9FZo84Q0CK+xfOF06rzf:DG3Y659M75XvpY06rz
                                  TLSH:09558E12BBAC4E37C68F17BEB4B1651743B1D001A552E70F5AA4A95E0EE3380CE1A7D7
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`................................
                                  Icon Hash:90cececece8e8eb0
                                  Entrypoint:0x54b60e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x8AFAAF06 [Sat Nov 21 02:10:14 2043 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x14b5b80x53.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x14c0000x5c6.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x14e0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x1496140x149800ffce07fc610c55d89c1913a79236fc39False0.3691776721358118data6.090283692961319IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x14c0000x5c60x600931e73c572b6717b5737efb06c7541c3False0.4114583333333333data4.097131305222293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x14e0000xc0x20057ceb087ad3dbe3b3d612620c3bbf575False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x14c0a00x33cdata0.3997584541062802
                                  RT_MANIFEST0x14c3dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                  DLLImport
                                  mscoree.dll_CorExeMain
                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  Comments
                                  CompanyName
                                  FileDescriptionVT Control Client
                                  FileVersion1.0.0.0
                                  InternalNameVT Control Client.exe
                                  LegalCopyright
                                  LegalTrademarks
                                  OriginalFilenameVT Control Client.exe
                                  ProductNameVT Control Client
                                  ProductVersion1.0.0.0
                                  Assembly Version1.0.0.0

                                  Download Network PCAP: filteredfull

                                  • Total Packets: 21
                                  • 4305 undefined
                                  • 80 (HTTP)
                                  • 53 (DNS)
                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 19, 2025 17:16:14.758472919 CET497194305192.168.2.4147.185.221.27
                                  Mar 19, 2025 17:16:14.763264894 CET430549719147.185.221.27192.168.2.4
                                  Mar 19, 2025 17:16:14.763353109 CET497194305192.168.2.4147.185.221.27
                                  Mar 19, 2025 17:16:14.786218882 CET497194305192.168.2.4147.185.221.27
                                  Mar 19, 2025 17:16:14.791001081 CET430549719147.185.221.27192.168.2.4
                                  Mar 19, 2025 17:16:16.445288897 CET430549719147.185.221.27192.168.2.4
                                  Mar 19, 2025 17:16:16.450767994 CET497194305192.168.2.4147.185.221.27
                                  Mar 19, 2025 17:16:16.455558062 CET430549719147.185.221.27192.168.2.4
                                  Mar 19, 2025 17:16:16.869287968 CET430549719147.185.221.27192.168.2.4
                                  Mar 19, 2025 17:16:16.917426109 CET497194305192.168.2.4147.185.221.27
                                  Mar 19, 2025 17:16:17.138489008 CET430549719147.185.221.27192.168.2.4
                                  Mar 19, 2025 17:16:17.182926893 CET497194305192.168.2.4147.185.221.27
                                  Mar 19, 2025 17:16:17.328738928 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:16:17.333549023 CET8049720208.95.112.1192.168.2.4
                                  Mar 19, 2025 17:16:17.333623886 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:16:17.333847046 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:16:17.338565111 CET8049720208.95.112.1192.168.2.4
                                  Mar 19, 2025 17:16:18.093405008 CET8049720208.95.112.1192.168.2.4
                                  Mar 19, 2025 17:16:18.102837086 CET497194305192.168.2.4147.185.221.27
                                  Mar 19, 2025 17:16:18.107685089 CET430549719147.185.221.27192.168.2.4
                                  Mar 19, 2025 17:16:18.136179924 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:16:55.944859028 CET8049720208.95.112.1192.168.2.4
                                  Mar 19, 2025 17:16:55.944957018 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:17:58.105806112 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:17:58.417926073 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:17:59.027420998 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:18:00.230469942 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:18:02.636727095 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:18:07.449235916 CET4972080192.168.2.4208.95.112.1
                                  Mar 19, 2025 17:18:17.058875084 CET4972080192.168.2.4208.95.112.1
                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 19, 2025 17:16:14.741954088 CET5151053192.168.2.41.1.1.1
                                  Mar 19, 2025 17:16:14.754338980 CET53515101.1.1.1192.168.2.4
                                  Mar 19, 2025 17:16:17.316421032 CET4925353192.168.2.41.1.1.1
                                  Mar 19, 2025 17:16:17.325267076 CET53492531.1.1.1192.168.2.4
                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Mar 19, 2025 17:16:14.741954088 CET192.168.2.41.1.1.10x151dStandard query (0)then-amanda.gl.at.ply.ggA (IP address)IN (0x0001)false
                                  Mar 19, 2025 17:16:17.316421032 CET192.168.2.41.1.1.10x8959Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Mar 19, 2025 17:16:14.754338980 CET1.1.1.1192.168.2.40x151dNo error (0)then-amanda.gl.at.ply.gg147.185.221.27A (IP address)IN (0x0001)false
                                  Mar 19, 2025 17:16:17.325267076 CET1.1.1.1192.168.2.40x8959No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                  • ip-api.com
                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449720208.95.112.1807800C:\Users\user\Desktop\remover.exe
                                  TimestampBytes transferredDirectionData
                                  Mar 19, 2025 17:16:17.333847046 CET89OUTGET /xml/?fields=countryCode,query HTTP/1.1
                                  Host: ip-api.com
                                  Connection: Keep-Alive
                                  Mar 19, 2025 17:16:18.093405008 CET294INHTTP/1.1 200 OK
                                  Date: Wed, 19 Mar 2025 16:16:17 GMT
                                  Content-Type: application/xml; charset=utf-8
                                  Content-Length: 118
                                  Access-Control-Allow-Origin: *
                                  X-Ttl: 60
                                  X-Rl: 44
                                  Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 71 75 65 72 79 3e 39 36 2e 34 34 2e 31 35 31 2e 31 32 33 3c 2f 71 75 65 72 79 3e 0a 3c 2f 71 75 65 72 79 3e
                                  Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <countryCode>US</countryCode> <query>96.44.151.123</query></query>


                                  050100150200s020406080100

                                  Click to jump to process

                                  050100150200s0.0010203040MB

                                  Click to jump to process

                                  • File
                                  • Registry
                                  • Network

                                  Click to dive into process behavior distribution

                                  Target ID:0
                                  Start time:12:16:13
                                  Start date:19/03/2025
                                  Path:C:\Users\user\Desktop\remover.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\remover.exe"
                                  Imagebase:0x157ef080000
                                  File size:1'352'192 bytes
                                  MD5 hash:832E3AC5462158C38460B0F7E4496B18
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  Execution Graph

                                  Execution Coverage

                                  Dynamic/Packed Code Coverage

                                  Signature Coverage

                                  Execution Coverage:17.6%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:3
                                  Total number of Limit Nodes:0
                                  Show Legend
                                  Hide Nodes/Edges
                                  execution_graph 6890 7ffc3dc85c58 6892 7ffc3dc85c61 SetWindowsHookExW 6890->6892 6893 7ffc3dc85d31 6892->6893

                                  Executed Functions

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 500 7ffc3dc8d756-7ffc3dc8d763 501 7ffc3dc8d765-7ffc3dc8d76d 500->501 502 7ffc3dc8d76e-7ffc3dc8d837 500->502 501->502 506 7ffc3dc8d839-7ffc3dc8d842 502->506 507 7ffc3dc8d8a3 502->507 506->507 508 7ffc3dc8d844-7ffc3dc8d850 506->508 509 7ffc3dc8d8a5-7ffc3dc8d8ca 507->509 510 7ffc3dc8d889-7ffc3dc8d8a1 508->510 511 7ffc3dc8d852-7ffc3dc8d864 508->511 516 7ffc3dc8d936 509->516 517 7ffc3dc8d8cc-7ffc3dc8d8d5 509->517 510->509 512 7ffc3dc8d866 511->512 513 7ffc3dc8d868-7ffc3dc8d87b 511->513 512->513 513->513 515 7ffc3dc8d87d-7ffc3dc8d885 513->515 515->510 518 7ffc3dc8d938-7ffc3dc8d9e0 516->518 517->516 519 7ffc3dc8d8d7-7ffc3dc8d8e3 517->519 530 7ffc3dc8da4e 518->530 531 7ffc3dc8d9e2-7ffc3dc8d9ec 518->531 520 7ffc3dc8d8e5-7ffc3dc8d8f7 519->520 521 7ffc3dc8d91c-7ffc3dc8d934 519->521 522 7ffc3dc8d8f9 520->522 523 7ffc3dc8d8fb-7ffc3dc8d90e 520->523 521->518 522->523 523->523 525 7ffc3dc8d910-7ffc3dc8d918 523->525 525->521 532 7ffc3dc8da50-7ffc3dc8da79 530->532 531->530 533 7ffc3dc8d9ee-7ffc3dc8d9fb 531->533 540 7ffc3dc8da7b-7ffc3dc8da86 532->540 541 7ffc3dc8dae3 532->541 534 7ffc3dc8da34-7ffc3dc8da4c 533->534 535 7ffc3dc8d9fd-7ffc3dc8da0f 533->535 534->532 536 7ffc3dc8da11 535->536 537 7ffc3dc8da13-7ffc3dc8da26 535->537 536->537 537->537 539 7ffc3dc8da28-7ffc3dc8da30 537->539 539->534 540->541 543 7ffc3dc8da88-7ffc3dc8da96 540->543 542 7ffc3dc8dae5-7ffc3dc8db76 541->542 551 7ffc3dc8db7c-7ffc3dc8db8b 542->551 544 7ffc3dc8da98-7ffc3dc8daaa 543->544 545 7ffc3dc8dacf-7ffc3dc8dae1 543->545 547 7ffc3dc8daac 544->547 548 7ffc3dc8daae-7ffc3dc8dac1 544->548 545->542 547->548 548->548 549 7ffc3dc8dac3-7ffc3dc8dacb 548->549 549->545 552 7ffc3dc8db8d 551->552 553 7ffc3dc8db93-7ffc3dc8dbf8 call 7ffc3dc8dc14 551->553 552->553 560 7ffc3dc8dbfa 553->560 561 7ffc3dc8dbff-7ffc3dc8dc12 553->561 560->561
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3614759960.00007FFC3DC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DC80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffc3dc80000_remover.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54074df5fd98392c18cc65e59b8d355998de3fb84ed9f61225509b5024ce19f8
                                  • Instruction ID: ae1ab3d74ad748ef2bcb1dfecbb44b3d82bdb94b2e93cae0e5f5a08821fca8ce
                                  • Opcode Fuzzy Hash: 54074df5fd98392c18cc65e59b8d355998de3fb84ed9f61225509b5024ce19f8
                                  • Instruction Fuzzy Hash: 49F1C231918A8E8FEBA8DF28D855BE977D1FF54310F14426AE84DC7291DB349981CB82

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 562 7ffc3dc8e502-7ffc3dc8e50f 563 7ffc3dc8e51a-7ffc3dc8e5e7 562->563 564 7ffc3dc8e511-7ffc3dc8e519 562->564 568 7ffc3dc8e5e9-7ffc3dc8e5f2 563->568 569 7ffc3dc8e653 563->569 564->563 568->569 570 7ffc3dc8e5f4-7ffc3dc8e600 568->570 571 7ffc3dc8e655-7ffc3dc8e67a 569->571 572 7ffc3dc8e639-7ffc3dc8e651 570->572 573 7ffc3dc8e602-7ffc3dc8e614 570->573 578 7ffc3dc8e6e6 571->578 579 7ffc3dc8e67c-7ffc3dc8e685 571->579 572->571 574 7ffc3dc8e616 573->574 575 7ffc3dc8e618-7ffc3dc8e62b 573->575 574->575 575->575 577 7ffc3dc8e62d-7ffc3dc8e635 575->577 577->572 580 7ffc3dc8e6e8-7ffc3dc8e70d 578->580 579->578 581 7ffc3dc8e687-7ffc3dc8e693 579->581 588 7ffc3dc8e77b 580->588 589 7ffc3dc8e70f-7ffc3dc8e719 580->589 582 7ffc3dc8e695-7ffc3dc8e6a7 581->582 583 7ffc3dc8e6cc-7ffc3dc8e6e4 581->583 585 7ffc3dc8e6a9 582->585 586 7ffc3dc8e6ab-7ffc3dc8e6be 582->586 583->580 585->586 586->586 587 7ffc3dc8e6c0-7ffc3dc8e6c8 586->587 587->583 591 7ffc3dc8e77d-7ffc3dc8e7ab 588->591 589->588 590 7ffc3dc8e71b-7ffc3dc8e728 589->590 592 7ffc3dc8e72a-7ffc3dc8e73c 590->592 593 7ffc3dc8e761-7ffc3dc8e779 590->593 597 7ffc3dc8e81b 591->597 598 7ffc3dc8e7ad-7ffc3dc8e7b8 591->598 595 7ffc3dc8e73e 592->595 596 7ffc3dc8e740-7ffc3dc8e753 592->596 593->591 595->596 596->596 599 7ffc3dc8e755-7ffc3dc8e75d 596->599 601 7ffc3dc8e81d-7ffc3dc8e8f5 597->601 598->597 600 7ffc3dc8e7ba-7ffc3dc8e7c8 598->600 599->593 602 7ffc3dc8e7ca-7ffc3dc8e7dc 600->602 603 7ffc3dc8e801-7ffc3dc8e819 600->603 611 7ffc3dc8e8fb-7ffc3dc8e90a 601->611 604 7ffc3dc8e7de 602->604 605 7ffc3dc8e7e0-7ffc3dc8e7f3 602->605 603->601 604->605 605->605 607 7ffc3dc8e7f5-7ffc3dc8e7fd 605->607 607->603 612 7ffc3dc8e90c 611->612 613 7ffc3dc8e912-7ffc3dc8e974 call 7ffc3dc8e990 611->613 612->613 620 7ffc3dc8e976 613->620 621 7ffc3dc8e97b-7ffc3dc8e98e 613->621 620->621
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3614759960.00007FFC3DC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DC80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffc3dc80000_remover.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f2f1affd94473e9bb84b8351eacbf852ce11a77d5928d82e521d80fae5f4a397
                                  • Instruction ID: b7d9707fdafc145f467819c038eee4f0f8e56e140986b9101962fe68f275ee9a
                                  • Opcode Fuzzy Hash: f2f1affd94473e9bb84b8351eacbf852ce11a77d5928d82e521d80fae5f4a397
                                  • Instruction Fuzzy Hash: 76E1E430918A4E8FEBA8DF68D855BE977D1FF54310F04426ED84DC7291EE75A881CB82

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3614759960.00007FFC3DC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DC80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffc3dc80000_remover.jbxd
                                  Similarity
                                  • API ID: HookWindows
                                  • String ID:
                                  • API String ID: 2559412058-0
                                  • Opcode ID: 44d7447437726d1ddc7f6ae1729cf6e17c28e8e2d14dc671501405a36eae08e3
                                  • Instruction ID: 9a3e737413cd7b3e1d78741cedff7d5212bb597cf27a0a3da4b0cc9adc0448cf
                                  • Opcode Fuzzy Hash: 44d7447437726d1ddc7f6ae1729cf6e17c28e8e2d14dc671501405a36eae08e3
                                  • Instruction Fuzzy Hash: 1641383091CA5D4FDB58EF6C98466F9BBE1EB59321F00023EE049D3192DE74A852CBD1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3615002077.00007FFC3DD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DD50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffc3dd50000_remover.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05925bf4b863d6806094a3337f6c5048a4e9429e62d7c247dba96a15fe1ffe83
                                  • Instruction ID: 3928e3e883b1afc602f36ab6fabc899ed0e93615e2698cf77f0113f7d9b54bff
                                  • Opcode Fuzzy Hash: 05925bf4b863d6806094a3337f6c5048a4e9429e62d7c247dba96a15fe1ffe83
                                  • Instruction Fuzzy Hash: 1A31073160CA4D0FD79DDA6CA85AA7537D6EB5A320B1402BED04EC3293ED64EC52C3E1

                                  Non-executed Functions

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3614759960.00007FFC3DC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DC80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffc3dc80000_remover.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 276ee60d7e92e612cd7418574427335bc999a96a03c8fb0964806433981ceb9b
                                  • Instruction ID: ea7d0221a5afcb2fb3cb5e0d9af5ab22bae600661ae0533aecc18cab2a4c2a9f
                                  • Opcode Fuzzy Hash: 276ee60d7e92e612cd7418574427335bc999a96a03c8fb0964806433981ceb9b
                                  • Instruction Fuzzy Hash: DFC1583190CB5C4FDB19DFA898466E9BBF1EF96321F04426FE049D3292DE746806CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3614759960.00007FFC3DC80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC3DC80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ffc3dc80000_remover.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20697354435623443c8dcda11c3b079189efd46f03f96b0de714483ef80c78a4
                                  • Instruction ID: 63155c4cf75160bda01852fe7751fc8e3ac3980be8447a36f5dc60ee708ce383
                                  • Opcode Fuzzy Hash: 20697354435623443c8dcda11c3b079189efd46f03f96b0de714483ef80c78a4
                                  • Instruction Fuzzy Hash: 53C1A5544AE3DE8EDB5357B518709A2BFA4AF03269B1C04FBD0D8CA093E90D149BD326