Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WtRLqa6ZXn.exe

Overview

General Information

Sample Name:WtRLqa6ZXn.exe
Original Sample Name:de237777518dc9c0b7a03c536746d878.exe
Analysis ID:1348052
MD5:de237777518dc9c0b7a03c536746d878
SHA1:a357466573e35d634a119b7f2e7a8a18f5018811
SHA256:23c6e8163646ba03c0a5c6dcdf0f0df5688ec4a91c8bd9b663888440254bc12f
Tags:exe
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Machine Learning detection for sample
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)

Classification

  • System is w10x64
  • WtRLqa6ZXn.exe (PID: 6444 cmdline: C:\Users\user\Desktop\WtRLqa6ZXn.exe MD5: DE237777518DC9C0B7A03C536746D878)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.6185.158.115.1914970910012806881 11/26/23-18:54:06.452721
SID:2806881
Source Port:49709
Destination Port:1001
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.6185.158.115.1915029010022806881 11/26/23-18:56:07.142932
SID:2806881
Source Port:50290
Destination Port:1002
Protocol:TCP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: WtRLqa6ZXn.exeAvira: detected
Source: WtRLqa6ZXn.exeReversingLabs: Detection: 70%
Source: WtRLqa6ZXn.exeVirustotal: Detection: 74%Perma Link
Source: WtRLqa6ZXn.exeJoe Sandbox ML: detected
Source: WtRLqa6ZXn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: WtRLqa6ZXn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeCode function: 0_2_00841300 GetWindowsDirectoryA,FindFirstFileA,FindClose,0_2_00841300

Networking

barindex
Source: TrafficSnort IDS: 2806881 ETPRO TROJAN TrojanProxy.Win32/Hioles.B CnC 192.168.2.6:49709 -> 185.158.115.191:1001
Source: TrafficSnort IDS: 2806881 ETPRO TROJAN TrojanProxy.Win32/Hioles.B CnC 192.168.2.6:50290 -> 185.158.115.191:1002
Source: Joe Sandbox ViewIP Address: 67.195.228.94 67.195.228.94
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeCode function: 0_2_00841490 StrStrIA,recv,StrStrIA,0_2_00841490
Source: WtRLqa6ZXn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: WtRLqa6ZXn.exeReversingLabs: Detection: 70%
Source: WtRLqa6ZXn.exeVirustotal: Detection: 74%
Source: WtRLqa6ZXn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: mal68.winEXE@1/0@0/33
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IpbudbiLjohb
Source: WtRLqa6ZXn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-805
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exe TID: 2036Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeCode function: 0_2_00841300 GetWindowsDirectoryA,FindFirstFileA,FindClose,0_2_00841300
Source: WtRLqa6ZXn.exe, 00000000.00000002.3396213563.00000000014EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeCode function: 0_2_00841540 CreateEventW,CreateThread,CloseHandle,lstrcmpiA,Sleep,Sleep,Sleep,Sleep,setsockopt,closesocket,GetProcessHeap,HeapAlloc,CreateThread,FindCloseChangeNotification,GetProcessHeap,HeapFree,SetEvent,0_2_00841540
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WtRLqa6ZXn.exeCode function: 0_2_00841360 GetTempPathA,GetVolumeInformationA,GetComputerNameA,GetUserNameA,0_2_00841360
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception21
Virtualization/Sandbox Evasion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Ingress Tool Transfer
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory21
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataSIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
Domain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
Account Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyData Encrypted for ImpactDNS ServerEmail Addresses
Local AccountsCronLogin HookLogin HookBinary PaddingNTDS1
System Owner/User Discovery
Distributed Component Object ModelInput CaptureTraffic DuplicationProtocol ImpersonationData DestructionVirtual Private ServerEmployee Names
Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery
SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
Replication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
System Information Discovery
VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
WtRLqa6ZXn.exe70%ReversingLabsWin32.Trojan.MintMurphy
WtRLqa6ZXn.exe75%VirustotalBrowse
WtRLqa6ZXn.exe100%AviraTR/Crypt.XPACK.Gen
WtRLqa6ZXn.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
217.69.139.60
unknownRussian Federation
47764MAILRU-ASMailRuRUfalse
212.227.17.178
unknownGermany
8560ONEANDONE-ASBrauerstrasse48DEfalse
195.54.174.27
unknownunknown
199236EMARSYS-ASEmarsyseMarketingSystemsAGATfalse
67.195.228.94
unknownUnited States
36647YAHOO-GQ1USfalse
93.186.225.205
unknownRussian Federation
47541VKONTAKTE-SPB-AShttpvkcomRUfalse
142.251.111.109
unknownUnited States
15169GOOGLEUSfalse
95.181.181.87
unknownRussian Federation
61120AIRNETRUfalse
87.240.139.193
unknownRussian Federation
47541VKONTAKTE-SPB-AShttpvkcomRUfalse
143.90.14.136
unknownJapan4725ODNSoftBankMobileCorpJPfalse
149.154.167.99
unknownUnited Kingdom
62041TELEGRAMRUfalse
52.96.48.54
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
142.251.167.108
unknownUnited States
15169GOOGLEUSfalse
62.173.147.3
unknownRussian Federation
34300SPACENET-ASInternetServiceProviderRUfalse
178.248.235.219
unknownRussian Federation
197068QRATORRUfalse
37.1.217.172
unknownUkraine
58061SCALAXY-ASNLfalse
44.241.129.35
unknownUnited States
16509AMAZON-02USfalse
52.40.178.147
unknownUnited States
16509AMAZON-02USfalse
81.19.78.89
unknownRussian Federation
24638RAMBLER-TELECOM-ASRUfalse
81.19.78.87
unknownRussian Federation
24638RAMBLER-TELECOM-ASRUfalse
87.248.103.8
unknownUnited Kingdom
34010YAHOO-IRDGBfalse
212.227.17.162
unknownGermany
8560ONEANDONE-ASBrauerstrasse48DEfalse
92.53.64.209
unknownRussian Federation
49505SELECTELRUfalse
94.100.184.66
unknownRussian Federation
47764MAILRU-ASMailRuRUfalse
185.158.115.191
unknownRussian Federation
44812IPSERVER-RU-NETFiordRUtrue
52.96.88.34
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
195.49.132.16
unknownFrance
57633TERANET2FRfalse
142.251.16.109
unknownUnited States
15169GOOGLEUSfalse
67.195.176.152
unknownUnited States
26101YAHOO-3USfalse
213.59.254.8
unknownRussian Federation
12389ROSTELECOM-ASRUfalse
178.248.238.27
unknownRussian Federation
197068QRATORRUfalse
91.206.14.139
unknownRussian Federation
49505SELECTELRUfalse
104.127.87.210
unknownUnited States
20940AKAMAI-ASN1EUfalse
52.96.32.178
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
Joe Sandbox Version:38.0.0 Ammolite
Analysis ID:1348052
Start date and time:2023-11-26 18:53:12 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 10s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:WtRLqa6ZXn.exe
renamed because original name is a hash value
Original Sample Name:de237777518dc9c0b7a03c536746d878.exe
Detection:MAL
Classification:mal68.winEXE@1/0@0/33
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 24
  • Number of non-executed functions: 4
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 52.113.194.133, 52.178.182.128, 52.158.121.3, 20.190.151.7, 20.190.151.69, 20.190.151.67, 20.190.151.134, 20.190.151.8, 20.190.151.131, 20.190.151.68, 20.190.151.132, 104.16.120.50, 104.16.119.50, 17.32.194.38, 17.32.194.7, 172.253.122.95, 192.168.2.6
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ajax.googleapis.com, www.tm.v4.a.prd.aadg.akadns.net, go-skype-com.s-0006.s-msedge.net, ctldl.windowsupdate.com, login.skype-apps.akadns.net, login.msa.msidentity.com, idmsa.idms-apple.com.akadns.net, fe3cr.delivery.mp.microsoft.com, idmsa.apple.com, secure.skype-apps.akadns.net, ocsp.digicert.com, login.live.com, auth.riotgames.com.cdn.cloudflare.net, s-0006.s-msedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
No simulations
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
217.69.139.603pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
    67.195.228.94newtpp.exeGet hashmaliciousPhorpiexBrowse
      gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
        file.exeGet hashmaliciousTofseeBrowse
          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
            l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
              message.elm.exeGet hashmaliciousUnknownBrowse
                test.dat.exeGet hashmaliciousUnknownBrowse
                  doc.msg.exeGet hashmaliciousUnknownBrowse
                    b7413f528510f6f00fe90877e39b3cb1b94fbfb4974fe.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee Vidar XmrigBrowse
                      IKUiRXwsnT.exeGet hashmaliciousTofsee XmrigBrowse
                        Update-KB3756-x86.exeGet hashmaliciousUnknownBrowse
                          sbFQSOHQS9.exeGet hashmaliciousTofsee XmrigBrowse
                            g5keI4ykVe.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee Vidar XmrigBrowse
                              X54kf4zSf8.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee Vidar XmrigBrowse
                                Xu7v9n5LLd.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee Vidar XmrigBrowse
                                  Player.apkGet hashmaliciousUnknownBrowse
                                    bLPTjx97o4.exeGet hashmaliciousTofsee XmrigBrowse
                                      UzvE3ZF7RC.exeGet hashmaliciousTofsee XmrigBrowse
                                        sKu7FoPlk3.exeGet hashmaliciousUnknownBrowse
                                          sample1-unpacked.exeGet hashmaliciousMyDoomBrowse
                                            93.186.225.2053pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
                                              95.181.181.873pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
                                                No context
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                MAILRU-ASMailRuRUL8PCdNq0xs.elfGet hashmaliciousMiraiBrowse
                                                • 178.237.22.112
                                                G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                • 217.69.139.150
                                                http://skladtandem.ru/bitrix/admin/mrt/redirect.php?login=tendai@transafricamedicals.co.za&source=gmail&ust=1691478366880000&usg=AOvVaw3Yg-fX-mtHN-vCYoBB8D5QGet hashmaliciousUnknownBrowse
                                                • 95.163.251.206
                                                8zb8fo2h7Z.elfGet hashmaliciousMiraiBrowse
                                                • 178.237.22.122
                                                Eypxe2gysn.elfGet hashmaliciousMiraiBrowse
                                                • 178.237.22.116
                                                http://top.mail.ruGet hashmaliciousHTMLPhisherBrowse
                                                • 217.69.139.59
                                                c97231396401b664fb865042a75fb600f6a752b2667bb8ef2d662fb0.exeGet hashmaliciousUnknownBrowse
                                                • 217.20.147.1
                                                c97231396401b664fb865042a75fb600f6a752b2667bb8ef2d662fb0.exeGet hashmaliciousUnknownBrowse
                                                • 5.61.23.11
                                                x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                                • 217.69.139.150
                                                https://mlattach.datacloudmail.ru/loader2/FE43D946C5A5F4AF6EF27A93FF7D7BE634577DE6?attach_id=QElpz4z3XEA1QN0c&expires=1697043293&from=e.mail.ru&m=ObkvJVHVmfz4nZdtQ4IkgQ&x-email=matthewblock%40eversheds-sutherlandll.comGet hashmaliciousHTMLPhisherBrowse
                                                • 5.61.236.128
                                                https://checklink.mail.ru/proxy?es=sel%2B0385qeoJtN2ktpDPP1cKO1E%2BjLj9lZzWEU3b1Y4%3D&egid=WV%2B9%2BE9MBUW6kIM%2BcYO78LeXgANMoBnZPz6k56%2BGDpU%3D&url=https%3A%2F%2Fclick.mail.ru%2Fredir%3Fu%3Dhttps%253A%252F%252Fwebmail.swan.co.th%252Fcompose%253FTo%253DMatthewblock%2540eversheds%25252dsutherlandll.com%26c%3Dswm%26r%3Dhttp%26o%3Dmail%26v%3D3%26s%3D9c23e2fe93a31d67&uidl=16969566711024638549&from=ipad%40office-dsk.com&to=ipad%40office-dsk.com&email=ipad%40office-dsk.comGet hashmaliciousHTMLPhisherBrowse
                                                • 5.181.61.0
                                                x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                • 217.69.139.150
                                                jklarm-20231011-2200.elfGet hashmaliciousMiraiBrowse
                                                • 128.140.169.84
                                                EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                                • 217.69.139.150
                                                x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                • 217.69.134.45
                                                https://ok.me/jfjC1#qsv17j9Get hashmaliciousHTMLPhisherBrowse
                                                • 217.20.155.6
                                                x86.elfGet hashmaliciousUnknownBrowse
                                                • 128.140.169.90
                                                3pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
                                                • 94.100.180.60
                                                5LW1482x87.elfGet hashmaliciousMiraiBrowse
                                                • 94.100.184.227
                                                OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                                                • 217.69.139.150
                                                EMARSYS-ASEmarsyseMarketingSystemsAGATbaR0qbxuDh.elfGet hashmaliciousMiraiBrowse
                                                • 217.175.199.14
                                                https://clicktrack.tulli.ro/u/gm.php?prm=SCKffwYflp_522422937_8354056_8420Get hashmaliciousUnknownBrowse
                                                • 217.175.192.11
                                                ONEANDONE-ASBrauerstrasse48DEgunzipped.exeGet hashmaliciousFormBookBrowse
                                                • 74.208.236.243
                                                klWGq3yDcQ.exeGet hashmaliciousUnknownBrowse
                                                • 74.208.5.3
                                                klWGq3yDcQ.exeGet hashmaliciousUnknownBrowse
                                                • 198.71.53.137
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 217.160.255.217
                                                rDHLReceipt_8939977153.exeGet hashmaliciousFormBookBrowse
                                                • 217.160.0.118
                                                QUOTATION#67353-15-2023.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 74.208.236.78
                                                PI-_8945001-10-11-2023.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 74.208.236.78
                                                yWVLQIrdCC.elfGet hashmaliciousMiraiBrowse
                                                • 195.20.246.125
                                                BEM00263.docxGet hashmaliciousFormBookBrowse
                                                • 217.160.0.131
                                                DHL_Receipt_#893915078.exeGet hashmaliciousFormBookBrowse
                                                • 217.160.0.118
                                                Qte2311.exeGet hashmaliciousFormBookBrowse
                                                • 217.160.0.131
                                                1.exeGet hashmaliciousFormBookBrowse
                                                • 217.160.0.167
                                                G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                • 74.208.215.145
                                                009c487a.exeGet hashmaliciousFormBookBrowse
                                                • 217.160.0.131
                                                S00989282313413.exeGet hashmaliciousFormBookBrowse
                                                • 74.208.239.72
                                                Maersk_K22TSI714881.exeGet hashmaliciousFormBookBrowse
                                                • 217.160.0.118
                                                S00989282313413.exeGet hashmaliciousFormBookBrowse
                                                • 74.208.239.72
                                                S00989282313413.exeGet hashmaliciousFormBookBrowse
                                                • 74.208.239.72
                                                S00989282313413.exeGet hashmaliciousFormBookBrowse
                                                • 74.208.239.72
                                                S00989282313413.exeGet hashmaliciousFormBookBrowse
                                                • 74.208.239.72
                                                No context
                                                No context
                                                No created / dropped files found
                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):6.220436500559913
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:WtRLqa6ZXn.exe
                                                File size:63'824 bytes
                                                MD5:de237777518dc9c0b7a03c536746d878
                                                SHA1:a357466573e35d634a119b7f2e7a8a18f5018811
                                                SHA256:23c6e8163646ba03c0a5c6dcdf0f0df5688ec4a91c8bd9b663888440254bc12f
                                                SHA512:40337a848a49487805dbb663313de888c967cb4392fe1c63311395a005b22633f603c8868d2bfbc05539844926072c80cd9dd4abfcb0786098e8e3e242d12067
                                                SSDEEP:1536:2mLuy2AtwhCC3P43iyGS5lzYAfQzf/3ma9cS3:2qJzC3Ki5ylUA4zf/3mocC
                                                TLSH:0853F105E4526CCDEBF68275A6650489E134CB524B033CE323E13DBA1D4EEC9A1B7626
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p'..4F..4F..4F...I..6F...1..9F..4F...F......6F..R...5F..R...5F..R...5F..Rich4F..........................PE..L...+.We...........
                                                Icon Hash:00928e8e8686b000
                                                Entrypoint:0x401020
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6557E72B [Fri Nov 17 22:20:27 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:f9e0f22dd6f41da7f3579c559466fbd0
                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                call 00007F874089250Dh
                                                push FFFFFFFFh
                                                call dword ptr [00403038h]
                                                mov eax, 00000001h
                                                pop ebp
                                                retn 0010h
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 20h
                                                mov dword ptr [ebp-14h], 00000000h
                                                mov dword ptr [ebp-20h], 0040313Ch
                                                mov dword ptr [ebp-1Ch], 00403148h
                                                mov dword ptr [ebp-18h], 00403154h
                                                mov dword ptr [ebp-04h], 00000000h
                                                jmp 00007F8740891B2Bh
                                                mov eax, dword ptr [ebp-04h]
                                                add eax, 01h
                                                mov dword ptr [ebp-04h], eax
                                                cmp dword ptr [ebp-04h], 03h
                                                jnc 00007F8740891B90h
                                                mov dword ptr [ebp-08h], FFFFFFFFh
                                                mov dword ptr [ebp-0Ch], 00000000h
                                                jmp 00007F8740891B2Bh
                                                mov ecx, dword ptr [ebp-0Ch]
                                                add ecx, 01h
                                                mov dword ptr [ebp-0Ch], ecx
                                                cmp dword ptr [ebp-0Ch], 03h
                                                jnl 00007F8740891B3Fh
                                                mov edx, dword ptr [ebp-04h]
                                                mov eax, dword ptr [ebp+edx*4-20h]
                                                push eax
                                                call 00007F874089269Fh
                                                add esp, 04h
                                                mov dword ptr [ebp-08h], eax
                                                cmp dword ptr [ebp-08h], FFFFFFFFh
                                                je 00007F8740891B24h
                                                jmp 00007F8740891B24h
                                                jmp 00007F8740891AF6h
                                                cmp dword ptr [ebp-08h], FFFFFFFFh
                                                je 00007F8740891B4Ch
                                                push 00000019h
                                                mov ecx, dword ptr [ebp-08h]
                                                push ecx
                                                call 00007F8740891BCEh
                                                add esp, 08h
                                                mov dword ptr [ebp-10h], eax
                                                cmp dword ptr [ebp-10h], FFFFFFFFh
                                                je 00007F8740891B35h
                                                mov edx, dword ptr [ebp-10h]
                                                push edx
                                                call dword ptr [004030ACh]
                                                mov dword ptr [ebp-14h], 00000001h
                                                jmp 00007F8740891B24h
                                                jmp 00007F8740891AA5h
                                                Programming Language:
                                                • [EXP] VS2012 UPD4 build 61030
                                                • [RES] VS2012 UPD4 build 61030
                                                • [LNK] VS2012 UPD4 build 61030
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x37a00x49.rdata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x34140xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x50000x1e0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000x1d0.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x30000xc4.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x1fe00x2000False0.525390625data5.955345217509494IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x30000x7e90x800False0.4580078125data5.233547677908448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x40000xa80x200False0.033203125DOS executable (block device driver)0.06591441234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x50000x1e00x200False0.525390625data4.696122618599126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x60000x44a0x600False0.30859375data2.7348987790512544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_MANIFEST0x50600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                DLLImport
                                                WS2_32.dllsocket, setsockopt, send, select, gethostbyname, WSAStartup, recv, inet_addr, connect, htons, closesocket
                                                DNSAPI.dllDnsQuery_A, DnsFree
                                                KERNEL32.dllGetComputerNameA, InterlockedExchange, GetTempPathA, lstrlenA, lstrcatA, lstrcpyA, GetWindowsDirectoryA, GetVolumeInformationA, SetEvent, Sleep, CreateThread, FindClose, FindFirstFileA, CloseHandle, GetLastError, HeapAlloc, HeapFree, GetProcessHeap, CreateEventW, WaitForSingleObject, CreateMutexA, lstrcmpiA
                                                USER32.dllwsprintfA
                                                ADVAPI32.dllGetUserNameA
                                                ntdll.dllmemcpy, memcmp, _chkstk
                                                SHLWAPI.dllStrToIntA, StrStrIA
                                                NameOrdinalAddress
                                                DllEntry10x401000
                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States
                                                No network behavior found

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Target ID:0
                                                Start time:18:54:04
                                                Start date:26/11/2023
                                                Path:C:\Users\user\Desktop\WtRLqa6ZXn.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\WtRLqa6ZXn.exe
                                                Imagebase:0x840000
                                                File size:63'824 bytes
                                                MD5 hash:DE237777518DC9C0B7A03C536746D878
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:45.6%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:16%
                                                  Total number of Nodes:244
                                                  Total number of Limit Nodes:12
                                                  execution_graph 634 841020 637 841a10 GetTempPathA 634->637 638 841a71 637->638 639 841a3b GetVolumeInformationA 637->639 640 841a93 lstrcpyA lstrcpyA WSAStartup wsprintfA 638->640 639->638 641 841b02 640->641 642 841028 Sleep 641->642 643 841b0b GetLastError 641->643 644 841b18 CloseHandle 643->644 645 841b29 643->645 644->645 645->642 646 841b2f CreateThread 645->646 647 841b4d FindCloseChangeNotification 646->647 648 841b5e CloseHandle 646->648 649 841540 646->649 647->642 648->642 680 841360 GetTempPathA 649->680 654 8415b4 CreateThread 655 8415f6 654->655 656 8415d6 CloseHandle 654->656 702 841d60 654->702 659 8415e0 656->659 657 8415fd lstrcmpiA 657->659 659->655 659->657 660 841725 Sleep 659->660 661 84173b setsockopt 659->661 662 841040 10 API calls 659->662 663 841694 Sleep 659->663 664 841bc0 inet_addr gethostbyname 659->664 665 8416cd Sleep 659->665 667 841642 Sleep 659->667 691 841170 socket 659->691 660->659 671 84176a 661->671 662->659 663->659 664->659 665->659 667->659 670 8419ce SetEvent 670->671 672 841861 GetProcessHeap HeapAlloc 671->672 673 841828 closesocket 671->673 675 841470 InterlockedExchange 671->675 695 841cd0 send 671->695 697 841b70 671->697 701 841d30 setsockopt 671->701 672->671 674 841880 CreateThread 672->674 673->671 676 841901 FindCloseChangeNotification 674->676 677 84190d 674->677 711 8421d0 _chkstk 674->711 675->671 676->671 678 841cd0 send 677->678 679 84191c GetProcessHeap HeapFree 678->679 679->671 681 84145e 680->681 682 84138a GetVolumeInformationA 680->682 687 841300 GetWindowsDirectoryA 681->687 682->681 683 8413bf GetComputerNameA 682->683 684 8413e2 683->684 684->681 685 841415 GetUserNameA 684->685 685->681 686 841431 685->686 686->681 688 841356 CreateEventW 687->688 689 841326 FindFirstFileA 687->689 688->654 688->655 689->688 690 841343 FindClose 689->690 690->688 692 8411d6 691->692 693 841192 htons connect 691->693 692->659 693->692 694 8411c5 closesocket 693->694 694->692 696 841d0e 695->696 696->671 698 841b7d 697->698 699 841ba8 698->699 700 841b85 recv 698->700 699->671 700->698 700->699 701->670 705 841d66 702->705 703 841e39 705->703 706 841d87 Sleep 705->706 709 841cd0 send 705->709 710 841df5 closesocket 705->710 738 841470 InterlockedExchange 705->738 739 841470 InterlockedExchange 705->739 706->705 708 841e17 WaitForSingleObject 708->705 709->705 710->705 716 8421fa 711->716 712 842222 713 841cd0 send 712->713 715 842267 713->715 714 841170 4 API calls 714->716 717 842411 closesocket 715->717 718 842272 recv 715->718 716->712 716->714 721 84222a 716->721 720 84241b GetProcessHeap HeapFree 717->720 718->717 719 84228d 718->719 719->717 724 8422d1 719->724 725 842306 719->725 726 842391 719->726 722 841cd0 send 721->722 723 842240 722->723 723->720 733 842301 724->733 740 842ca0 recv 724->740 725->733 761 842a20 recv 725->761 726->717 775 842800 _chkstk 726->775 731 8422f7 731->733 735 842356 closesocket 731->735 767 841e50 731->767 732 841e50 5 API calls 732->731 733->717 735->733 736 842370 735->736 736->731 803 842620 _chkstk 736->803 738->705 739->708 741 842cc7 740->741 742 842ccf recv 740->742 741->731 742->741 743 842cee 742->743 744 841b70 recv 743->744 745 842d03 744->745 745->741 746 842d56 745->746 747 842d20 send 745->747 749 842d65 send 746->749 750 842dbf 746->750 752 842dbb 746->752 748 842ddb recv 747->748 751 842e00 748->751 756 842dfc 748->756 749->741 820 842b00 wsprintfA send recv 750->820 751->756 817 841bc0 inet_addr 751->817 752->749 758 842f0a htons 756->758 760 842ef8 send 756->760 759 841170 4 API calls 758->759 759->760 760->741 762 842a51 761->762 763 842adb send 761->763 762->763 764 842a66 htons 762->764 763->731 765 841170 4 API calls 764->765 766 842aaa 765->766 766->763 768 841e67 767->768 769 841e74 select 768->769 770 841ed4 recv 768->770 771 841f1a send 768->771 772 841f45 recv 768->772 773 841ef2 768->773 769->768 769->769 770->768 770->773 771->768 772->773 774 841f67 send 772->774 773->731 774->768 834 841490 StrStrIA 775->834 778 842836 send 780 8423c6 778->780 779 842851 781 84288c 779->781 839 842710 wsprintfA 779->839 780->717 780->731 780->732 783 842926 781->783 784 842899 StrStrIA 781->784 848 8424a0 StrStrIA 783->848 786 8428d6 StrStrIA 784->786 787 84291e 784->787 786->787 790 842907 StrToIntA 786->790 791 84294d send 787->791 792 842968 787->792 789 84286e send 789->780 790->787 791->780 793 841bc0 2 API calls 792->793 794 842971 793->794 795 842995 794->795 796 84297d send 794->796 797 841170 4 API calls 795->797 796->780 798 8429a3 797->798 799 8429c7 798->799 800 8429af send 798->800 801 8429e5 lstrlenA send 799->801 802 8429d0 send 799->802 800->780 801->780 802->780 804 841490 3 API calls 803->804 805 84264e 804->805 806 842674 send 805->806 808 8424a0 11 API calls 805->808 807 8426fd 806->807 807->736 809 84266d 808->809 809->806 810 84268c 809->810 811 841bc0 2 API calls 810->811 812 842695 811->812 813 841170 4 API calls 812->813 814 8426a9 813->814 815 8426bb send 814->815 816 8426d3 lstrlenA send 814->816 815->807 816->807 818 841be0 gethostbyname 817->818 819 841bf3 817->819 818->819 819->756 821 842b64 820->821 822 842b5d 820->822 821->822 823 842b74 recv 821->823 822->741 822->748 823->822 824 842b92 823->824 824->822 825 841b70 recv 824->825 826 842bb3 825->826 826->822 827 842bc9 recv 826->827 827->822 828 842be7 827->828 828->822 829 841b70 recv 828->829 830 842c08 829->830 830->822 831 842c2c memcmp 830->831 832 842c28 send 830->832 831->832 832->822 836 8414b0 834->836 838 8414b7 834->838 835 8414cf recv 835->836 837 8414f3 StrStrIA 835->837 836->778 836->779 837->836 837->838 838->835 838->836 858 841f90 839->858 842 842774 StrStrIA 843 84276f 842->843 844 842795 842->844 843->781 843->789 844->843 845 8427a5 memcmp 844->845 846 8427c7 845->846 846->843 847 8427d9 lstrcpyA 846->847 847->843 849 842614 848->849 850 8424d4 memcpy StrStrIA 848->850 849->787 850->849 851 842519 StrStrIA StrStrIA 850->851 852 842556 851->852 852->849 853 842587 StrStrIA 852->853 854 8425a6 lstrcatA lstrcatA 853->854 855 8425cd lstrcatA 853->855 856 8425db StrStrIA 854->856 855->856 856->849 857 8425fb StrToIntA 856->857 857->849 859 841fb2 StrStrIA 858->859 859->842 859->843 874 841000 875 841a10 118 API calls 874->875 876 841008 Sleep 875->876 877 842d51 878 842ddb recv 877->878 879 842dfc 878->879 880 842e00 878->880 882 842ef8 send 879->882 884 842f0a htons 879->884 880->879 881 841bc0 2 API calls 880->881 881->879 885 842f81 882->885 886 841170 4 API calls 884->886 886->882 887 8419ac 894 841795 887->894 889 8419ce SetEvent 889->894 890 841b70 recv 890->894 891 841861 GetProcessHeap HeapAlloc 893 841880 CreateThread 891->893 891->894 892 841828 closesocket 892->894 896 841901 FindCloseChangeNotification 893->896 897 84190d 893->897 902 8421d0 72 API calls 893->902 894->890 894->891 894->892 895 841470 InterlockedExchange 894->895 899 841cd0 send 894->899 901 841d30 setsockopt 894->901 895->894 896->894 898 841cd0 send 897->898 900 84191c GetProcessHeap HeapFree 898->900 899->894 900->894 901->889 903 842dfe 904 842e5a 903->904 906 842f0a htons 904->906 909 842ef8 send 904->909 908 841170 4 API calls 906->908 907 842f81 908->909 909->907 910 8422ff 916 842327 910->916 911 842336 closesocket 914 84241b GetProcessHeap HeapFree 911->914 913 841e50 5 API calls 913->916 915 842356 closesocket 915->911 915->916 916->911 916->913 916->915 917 842620 25 API calls 916->917 917->916 918 842248 919 84241b GetProcessHeap HeapFree 918->919 920 842c2a 921 842c7f send 920->921 923 842c98 921->923 924 84236b 925 842411 closesocket 924->925 926 84241b GetProcessHeap HeapFree 925->926

                                                  Callgraph

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 841540-8415ae call 841360 call 841300 CreateEventW 5 8415b4-8415d0 CreateThread 0->5 6 8419fa 0->6 5->6 7 8415d6-8415da CloseHandle 5->7 8 8419ff-841a02 6->8 9 8415e0-8415e7 7->9 10 8416dd-8416e1 9->10 11 8415ed-8415f4 9->11 12 8416e3-8416e7 10->12 13 8416ff-841723 call 841170 10->13 14 8415f6-8415f8 11->14 15 8415fd-84160f lstrcmpiA 11->15 12->13 16 8416e9-8416fb 12->16 26 841725-841739 Sleep 13->26 27 84173b-841791 setsockopt call 842f90 13->27 14->8 18 841611-841618 15->18 19 841673-84167a 15->19 16->13 23 84164f-841663 call 841040 18->23 24 84161a-84163e call 841bc0 * 2 18->24 20 8416a1 call 841040 19->20 21 84167c-841690 call 841bc0 19->21 35 8416a6 20->35 37 841694-84169f Sleep 21->37 38 841692 21->38 44 841665-841669 23->44 45 841671 23->45 50 841640 24->50 51 841642-84164d Sleep 24->51 32 8416c2-8416c9 26->32 47 841795-8417a5 call 841cd0 27->47 42 8416cd-8416d8 Sleep 32->42 43 8416cb 32->43 41 8416ac-8416bb 35->41 37->19 38->20 41->32 42->9 43->10 44->45 46 84166b-84166e 44->46 45->41 46->45 53 8417a8-8417af 47->53 50->23 51->18 54 8417b5-8417bc 53->54 55 8419e3 53->55 57 841937-841941 54->57 58 8417c2-8417da call 841b70 54->58 56 8419ea-8419f8 55->56 61 8419ae-8419b4 56->61 59 841977 57->59 60 841943-841947 57->60 69 841800-841806 58->69 70 8417dc-8417e3 58->70 64 84197e-841999 59->64 67 841951-841966 60->67 68 841949-84194d 60->68 65 8419b6-8419c9 call 841d30 61->65 66 8419de 61->66 71 84199d-8419a1 64->71 72 84199b 64->72 79 8419ce-8419d8 SetEvent 65->79 66->53 74 841972 67->74 68->74 75 84194f 68->75 77 841809-84181b call 841470 69->77 70->69 76 8417e5-8417ec 70->76 71->61 78 8419a3-8419aa 71->78 72->55 74->59 75->64 76->69 80 8417ee-8417f5 76->80 85 84181d 77->85 86 84181f-841826 77->86 78->56 79->66 80->69 82 8417f7-8417fe 80->82 82->69 84 841853-84185a 82->84 87 841861-841879 GetProcessHeap HeapAlloc 84->87 88 84185c 84->88 85->77 89 84183f-84184b call 841470 86->89 90 841828-841835 closesocket 86->90 91 841880-8418ff CreateThread 87->91 92 84187b 87->92 88->57 89->84 90->89 94 841901-84190b FindCloseChangeNotification 91->94 95 84190d-84192c call 841cd0 GetProcessHeap HeapFree 91->95 92->47 97 841932 94->97 95->97 97->54
                                                  APIs
                                                    • Part of subcall function 00841360: GetTempPathA.KERNEL32(00000105,?), ref: 0084137C
                                                    • Part of subcall function 00841360: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008413B1
                                                    • Part of subcall function 00841360: GetComputerNameA.KERNEL32(00000000,00000105), ref: 008413D8
                                                    • Part of subcall function 00841360: GetUserNameA.ADVAPI32(00000000,00000105), ref: 00841427
                                                    • Part of subcall function 00841300: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0084131C
                                                    • Part of subcall function 00841300: FindFirstFileA.KERNELBASE(?,?), ref: 00841334
                                                    • Part of subcall function 00841300: FindClose.KERNEL32(000000FF), ref: 00841347
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0084159C
                                                  • CreateThread.KERNELBASE(00000000,00000000,00841D60,00000000,00000000,00000000), ref: 008415C3
                                                  • CloseHandle.KERNEL32(00000000), ref: 008415DA
                                                  • lstrcmpiA.KERNEL32(00844028,00844068), ref: 00841607
                                                  • Sleep.KERNEL32(00002710), ref: 00841647
                                                    • Part of subcall function 00841BC0: inet_addr.WS2_32(00841686), ref: 00841BD1
                                                    • Part of subcall function 00841BC0: gethostbyname.WS2_32(00841686), ref: 00841BE4
                                                  • Sleep.KERNEL32(00002710), ref: 00841699
                                                  • Sleep.KERNEL32(00001388), ref: 008416D2
                                                  • Sleep.KERNEL32(00001388), ref: 00841733
                                                  • setsockopt.WS2_32(?,0000FFFF,00001006,0001D4C0,00000004), ref: 00841759
                                                  • closesocket.WS2_32(?), ref: 0084182F
                                                  • GetProcessHeap.KERNEL32(00000000,0000001C), ref: 00841865
                                                  • HeapAlloc.KERNEL32(00000000), ref: 0084186C
                                                  • CreateThread.KERNELBASE(00000000,00000000,008421D0,00000000,00000000,00000000), ref: 008418F2
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00841905
                                                  • SetEvent.KERNEL32(?), ref: 008419D8
                                                    • Part of subcall function 00841CD0: send.WS2_32(00000000,00000000,0000001A,00000000), ref: 00841D03
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00841925
                                                  • HeapFree.KERNEL32(00000000), ref: 0084192C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: HeapSleep$CloseCreateFind$EventNameProcessThread$AllocChangeComputerDirectoryFileFirstFreeHandleInformationNotificationPathTempUserVolumeWindowsclosesocketgethostbynameinet_addrlstrcmpisendsetsockopt
                                                  • String ID: x$x
                                                  • API String ID: 2795221928-177600594
                                                  • Opcode ID: 8fbe15bce8e0697200c27b32b11417c7f5f26f59bc295924b9144af508956366
                                                  • Instruction ID: 9f532ecf4bdda7a65825dc6805a779b78b0380fff9a83fe61aa9c3ec4570d1f1
                                                  • Opcode Fuzzy Hash: 8fbe15bce8e0697200c27b32b11417c7f5f26f59bc295924b9144af508956366
                                                  • Instruction Fuzzy Hash: 7AD1AC78E0060CEBDF24CFA4E849BADBB70FB45305F144229E612E7391E7789A95CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 274 841490-8414ae StrStrIA 275 8414b7-8414c3 274->275 276 8414b0-8414b5 274->276 278 8414c6-8414cd 275->278 277 84152f-841532 276->277 279 841527-84152a 278->279 280 8414cf-8414ef recv 278->280 279->277 281 8414f1 280->281 282 8414f3-84151c StrStrIA 280->282 281->279 283 841525 282->283 284 84151e-841523 282->284 283->278 284->277
                                                  APIs
                                                  • StrStrIA.SHLWAPI(00000000,), ref: 008414A6
                                                  • recv.WS2_32(00000000,?,FFFFFFFF,00000000), ref: 008414E2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID: $
                                                  • API String ID: 1507349165-3624791563
                                                  • Opcode ID: f5a40738f81c2b0b877e08161b1dc4c3ff7e26215a1867e51de19bc6bd643ff7
                                                  • Instruction ID: 9440d01336115c854d0b05430bccd3178ddbf03fc1a91f4cbbbfa332689daa98
                                                  • Opcode Fuzzy Hash: f5a40738f81c2b0b877e08161b1dc4c3ff7e26215a1867e51de19bc6bd643ff7
                                                  • Instruction Fuzzy Hash: 6711C375A0424CEBDF04DFA8D948BAEBBB5FB89304F208599A816D7380D774DA80DB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 303 841360-841384 GetTempPathA 304 84145e-841464 303->304 305 84138a-8413b9 GetVolumeInformationA 303->305 305->304 306 8413bf-8413e0 GetComputerNameA 305->306 307 8413e2-8413eb 306->307 308 84140f-841413 306->308 310 8413f6-8413fe 307->310 308->304 309 841415-84142f GetUserNameA 308->309 309->304 311 841431-84143a 309->311 310->308 312 841400-84140d 310->312 314 841445-84144d 311->314 312->310 314->304 315 84144f-84145c 314->315 315->314
                                                  APIs
                                                  • GetTempPathA.KERNEL32(00000105,?), ref: 0084137C
                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008413B1
                                                  • GetComputerNameA.KERNEL32(00000000,00000105), ref: 008413D8
                                                  • GetUserNameA.ADVAPI32(00000000,00000105), ref: 00841427
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: Name$ComputerInformationPathTempUserVolume
                                                  • String ID:
                                                  • API String ID: 3941947965-0
                                                  • Opcode ID: 46a41bd1a72dbd95f71f1e6ce9a026230bc4d7f5553a8e2d3a906d52331a7578
                                                  • Instruction ID: 646d10104c710428607307816a708f8ceb0cc35464663b683326a05693d5b568
                                                  • Opcode Fuzzy Hash: 46a41bd1a72dbd95f71f1e6ce9a026230bc4d7f5553a8e2d3a906d52331a7578
                                                  • Instruction Fuzzy Hash: 3E310A70A0021DEBDF18CF90C949BEDBBB9FB41705F208199D615AA280EB759B84DF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 348 841300-841324 GetWindowsDirectoryA 349 841356-84135c 348->349 350 841326-841341 FindFirstFileA 348->350 350->349 351 841343-841353 FindClose 350->351 351->349
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0084131C
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 00841334
                                                  • FindClose.KERNEL32(000000FF), ref: 00841347
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseDirectoryFileFirstWindows
                                                  • String ID:
                                                  • API String ID: 2671548583-0
                                                  • Opcode ID: eb3806b1f3eeda7201857ee2412f257c61ceeeddf7bee04db62eb67b604c12b2
                                                  • Instruction ID: 853f5f40b6ab73e2d5023fee921305c61f1580060fc2c4ae1f0194c8362359d9
                                                  • Opcode Fuzzy Hash: eb3806b1f3eeda7201857ee2412f257c61ceeeddf7bee04db62eb67b604c12b2
                                                  • Instruction Fuzzy Hash: 2BF0DA79D01208EBCB10DFA4D94CADDBB78FB09710F104299E519A3290D7745B84CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 100 842800-842834 _chkstk call 841490 103 842836-84284c send 100->103 104 842851-842855 100->104 105 842a0f-842a12 103->105 106 842857-84286c call 842710 104->106 107 84288c-842893 104->107 106->107 115 84286e-842887 send 106->115 109 842926-842944 call 8424a0 107->109 110 842899-8428d4 StrStrIA 107->110 117 842947-84294b 109->117 112 8428d6-842905 StrStrIA 110->112 113 84291e-842924 110->113 112->113 116 842907-84291a StrToIntA 112->116 113->117 115->105 116->113 119 84294d-842963 send 117->119 120 842968-84297b call 841bc0 117->120 119->105 123 842995-8429ad call 841170 120->123 124 84297d-842993 send 120->124 127 8429c7-8429ce 123->127 128 8429af-8429c5 send 123->128 124->105 129 8429e5-842a06 lstrlenA send 127->129 130 8429d0-8429e3 send 127->130 128->105 131 842a0c 129->131 130->131 131->105
                                                  APIs
                                                  • _chkstk.NTDLL(?,008423C6,?,?,?,?), ref: 00842808
                                                    • Part of subcall function 00841490: StrStrIA.SHLWAPI(00000000,), ref: 008414A6
                                                  • send.WS2_32(?,HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request,0000003F,00000000), ref: 00842843
                                                  • send.WS2_32(?,HTTP/1.1 407 Proxy Authentication RequiredProxy-Authenticate: Basic realm="Proxy"Content-Length: 33407 Proxy Authentication Required,0000008C,00000000), ref: 0084287E
                                                  Strings
                                                  • HTTP/1.0 502 Bad GatewayContent-Length: 15502 Bad Gateway, xrefs: 00842981
                                                  • HTTP/1.1 200 OK, xrefs: 008429D4
                                                  • HTTP/1.0 502 Bad GatewayContent-Length: 15502 Bad Gateway, xrefs: 008429B3
                                                  • HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request, xrefs: 0084283A
                                                  • HTTP/1.1 407 Proxy Authentication RequiredProxy-Authenticate: Basic realm="Proxy"Content-Length: 33407 Proxy Authentication Required, xrefs: 00842875
                                                  • HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request, xrefs: 00842951
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: send$_chkstk
                                                  • String ID: HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request$HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request$HTTP/1.0 502 Bad GatewayContent-Length: 15502 Bad Gateway$HTTP/1.0 502 Bad GatewayContent-Length: 15502 Bad Gateway$HTTP/1.1 200 OK$HTTP/1.1 407 Proxy Authentication RequiredProxy-Authenticate: Basic realm="Proxy"Content-Length: 33407 Proxy Authentication Required
                                                  • API String ID: 1661165017-3437031791
                                                  • Opcode ID: 3bbb8e7f259e2c0995969b2c08ed553180a5cdb1c325b94dd6fe7208601ab8ab
                                                  • Instruction ID: fb346b8809be8120f127d30451e51b123df4aa863e277f7822420bf66c5f89d0
                                                  • Opcode Fuzzy Hash: 3bbb8e7f259e2c0995969b2c08ed553180a5cdb1c325b94dd6fe7208601ab8ab
                                                  • Instruction Fuzzy Hash: 19517B7490424CABDB14CFA4DC49BEEBBB4FB08710F508658F621EB2C0D7B49A44CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 132 841a10-841a39 GetTempPathA 133 841a86-841b09 call 8411e0 lstrcpyA * 2 WSAStartup wsprintfA 132->133 134 841a3b-841a6f GetVolumeInformationA 132->134 141 841b68 133->141 142 841b0b-841b16 GetLastError 133->142 135 841a71-841a77 134->135 136 841a79 134->136 138 841a80-841a83 135->138 136->138 138->133 143 841b6b-841b6e 141->143 144 841b18-841b22 CloseHandle 142->144 145 841b29-841b2d 142->145 144->145 145->141 146 841b2f-841b4b CreateThread 145->146 147 841b4d-841b5c FindCloseChangeNotification 146->147 148 841b5e-841b62 CloseHandle 146->148 147->143 148->141
                                                  APIs
                                                  • GetTempPathA.KERNEL32(00000104,?), ref: 00841A2C
                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00841A62
                                                  • lstrcpyA.KERNEL32(00844028,kilo-torrent.org), ref: 00841AAC
                                                  • lstrcpyA.KERNEL32(00844068,kilo-torrent.org), ref: 00841ABC
                                                  • WSAStartup.WS2_32(00000202,?), ref: 00841ACE
                                                  • wsprintfA.USER32 ref: 00841AEB
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00841AFC
                                                  • GetLastError.KERNEL32 ref: 00841B0B
                                                  • CloseHandle.KERNEL32(00000000), ref: 00841B1C
                                                  • CreateThread.KERNELBASE(00000000,00000000,00841540,00000000,00000000,00000000), ref: 00841B3E
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00841B51
                                                  • CloseHandle.KERNEL32(00000000), ref: 00841B62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: Close$CreateHandlelstrcpy$ChangeErrorFindInformationLastMutexNotificationPathStartupTempThreadVolumewsprintf
                                                  • String ID: Global\%s$kilo-torrent.org$kilo-torrent.org$p/#v
                                                  • API String ID: 3278163433-1876745359
                                                  • Opcode ID: 5c6a4e5af6e8241291a5a19938ad6a9a7dc98f5d192e10f1d08cc79dc9393288
                                                  • Instruction ID: 54417d5bf6b82354a1d62ad2e93103f80173c65e2498faad4fecf4058cbb6d63
                                                  • Opcode Fuzzy Hash: 5c6a4e5af6e8241291a5a19938ad6a9a7dc98f5d192e10f1d08cc79dc9393288
                                                  • Instruction Fuzzy Hash: B0413B78A4070CEBEB20DFA0EC4DBADB774FB44701F204559E605A62D0D7B95B84CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 149 8421d0-8421f6 _chkstk 150 8421fa-842201 149->150 151 842203-842211 call 841170 150->151 152 84224f-84226c call 841cd0 150->152 156 842216-842220 151->156 157 842411-842415 closesocket 152->157 158 842272-842287 recv 152->158 159 842224-842228 156->159 160 842222 156->160 162 84241b-842436 GetProcessHeap HeapFree 157->162 158->157 161 84228d-8422ba 158->161 163 84224d 159->163 164 84222a-842243 call 841cd0 159->164 160->152 161->157 165 8422c0-8422ca 161->165 163->150 164->162 165->157 167 842306-84230d 165->167 168 8422d1-8422d8 165->168 169 842391-842398 165->169 173 84238c 167->173 174 84230f-842316 167->174 171 842301 168->171 172 8422da-8422f2 call 842ca0 168->172 169->157 175 84239a-8423d0 call 842800 169->175 171->157 180 8422f7-8422fd 172->180 173->157 174->173 177 842318-84231c call 842a20 174->177 175->157 183 8423d2-8423e2 175->183 182 842321-842324 177->182 184 842327-84232e 180->184 182->184 185 8423e4-8423fc call 841e50 183->185 186 84240c 183->186 184->173 187 842330-842334 184->187 191 842401-842407 185->191 190 842338-84234b call 841e50 186->190 189 842336 187->189 187->190 189->173 194 842350-842353 190->194 193 842356-842364 closesocket 191->193 195 842366 193->195 196 842370-84238a call 842620 193->196 194->193 195->157 196->184
                                                  APIs
                                                  • _chkstk.NTDLL ref: 008421D8
                                                  • recv.WS2_32(?,?,00000001,00000002), ref: 0084227E
                                                    • Part of subcall function 00841170: socket.WS2_32(00000002,00000001,00000006), ref: 00841183
                                                    • Part of subcall function 00841170: htons.WS2_32(00841714), ref: 008411A6
                                                    • Part of subcall function 00841170: connect.WS2_32(000000FF,?,00000010), ref: 008411BA
                                                    • Part of subcall function 00841170: closesocket.WS2_32(000000FF), ref: 008411C9
                                                  • closesocket.WS2_32(?), ref: 00842415
                                                    • Part of subcall function 00842CA0: recv.WS2_32(?,?,00000001,00000000), ref: 00842CBC
                                                  • closesocket.WS2_32(000000FF), ref: 0084235A
                                                    • Part of subcall function 00842800: _chkstk.NTDLL(?,008423C6,?,?,?,?), ref: 00842808
                                                    • Part of subcall function 00842800: send.WS2_32(?,HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request,0000003F,00000000), ref: 00842843
                                                    • Part of subcall function 00841E50: select.WS2_32(00000000,00000002,00000000,00000000,00000002), ref: 00841EB3
                                                    • Part of subcall function 00841E50: recv.WS2_32(00000000,00000002,00001000,00000000), ref: 00841EE3
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00842421
                                                  • HeapFree.KERNEL32(00000000), ref: 00842428
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: closesocketrecv$Heap_chkstk$FreeProcessconnecthtonsselectsendsocket
                                                  • String ID: L
                                                  • API String ID: 3825173158-2909332022
                                                  • Opcode ID: f6b9ec846c889c7528c7005a5fb0096614c759dcb33c744fa36e122ed8896b61
                                                  • Instruction ID: 56d945c8bcf2c6377c745c863f77ed0e740bddaafe876d7ac74c19f2fa9b2573
                                                  • Opcode Fuzzy Hash: f6b9ec846c889c7528c7005a5fb0096614c759dcb33c744fa36e122ed8896b61
                                                  • Instruction Fuzzy Hash: 8D71A1B5D0821CABCB04CF98D894AFEBBB5FF48300F548159F955EB251D239DA81CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 199 841e50-841e60 200 841e67-841e6e 199->200 201 841e74-841ebb select 200->201 202 841f80-841f83 200->202 201->201 203 841ebd-841ed2 call 8412c0 201->203 206 841ed4-841ef0 recv 203->206 207 841f2e-841f43 call 8412c0 203->207 208 841ef2-841ef4 206->208 209 841ef9-841efd 206->209 214 841f45-841f61 recv 207->214 215 841f7b 207->215 208->202 212 841eff-841f08 209->212 213 841f1a-841f28 send 209->213 216 841f15-841f18 212->216 217 841f0a-841f13 212->217 213->207 218 841f67-841f75 send 214->218 219 841f63-841f65 214->219 215->200 216->202 217->213 217->216 218->215 219->202
                                                  APIs
                                                  • select.WS2_32(00000000,00000002,00000000,00000000,00000002), ref: 00841EB3
                                                  • recv.WS2_32(00000000,00000002,00001000,00000000), ref: 00841EE3
                                                  • send.WS2_32(?,00000002,00000000,00000000), ref: 00841F28
                                                  • recv.WS2_32(?,00000002,00001000,00000000), ref: 00841F54
                                                  • send.WS2_32(00000000,00000002,00000000,00000000), ref: 00841F75
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: recvsend$select
                                                  • String ID: GET $POST
                                                  • API String ID: 1492468295-2494278042
                                                  • Opcode ID: 115e88ccffae3bbc3d72bf6f2b4fd4482ea4aefdf39a0e7cc209c4b166f87b61
                                                  • Instruction ID: 404bae8b3df387abadf162f74cd78e8e637af1123cd5a4b9687b21f587d80df6
                                                  • Opcode Fuzzy Hash: 115e88ccffae3bbc3d72bf6f2b4fd4482ea4aefdf39a0e7cc209c4b166f87b61
                                                  • Instruction Fuzzy Hash: 09311A7560020CABDF18CF94CC59BEA77B4FB48744F108558FA15DB280D7B0EA85CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 220 842ca0-842cc5 recv 221 842cc7-842cca 220->221 222 842ccf-842ce4 recv 220->222 223 842f81-842f84 221->223 224 842ce6-842ce9 222->224 225 842cee-842d10 call 841b70 222->225 224->223 228 842d12-842d15 225->228 229 842d1a-842d1e 225->229 228->223 230 842d56-842d63 229->230 231 842d20-842d4c send 229->231 233 842d65-842d94 send 230->233 234 842d99-842da7 230->234 232 842ddb-842dfa recv 231->232 237 842e00-842e13 232->237 238 842dfc 232->238 233->223 235 842dbf-842dd1 call 842b00 234->235 236 842da9-842db9 234->236 235->232 250 842dd3-842dd6 235->250 239 842dbd 236->239 240 842dbb 236->240 243 842e15-842e28 237->243 244 842e76-842eb8 call 841bc0 237->244 242 842e5a-842e72 238->242 239->234 240->233 248 842edd-842ef0 242->248 243->242 245 842e2a-842e50 243->245 249 842ebd-842ed6 244->249 245->242 245->248 251 842f57-842f5f 248->251 252 842ef2-842ef6 248->252 249->248 250->223 250->232 253 842f67-842f7e send 251->253 254 842ef8-842f08 252->254 255 842f0a-842f22 htons call 841170 252->255 253->223 257 842f55 254->257 258 842f27-842f31 255->258 257->253 259 842f33-842f3a 258->259 260 842f3c 258->260 261 842f43-842f4e 259->261 260->261 261->257
                                                  APIs
                                                  • recv.WS2_32(?,?,00000001,00000000), ref: 00842CBC
                                                  • recv.WS2_32(?,?,00000001,00000000), ref: 00842CDB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: e53bc39a7b989b0e476a7bcc51115ab7ae1f0a3a58593bea5f649eb0d78e7b78
                                                  • Instruction ID: 5dac1494a45aad07e962c02735ea38934a1d22fab09786e1816cf397fa4beb82
                                                  • Opcode Fuzzy Hash: e53bc39a7b989b0e476a7bcc51115ab7ae1f0a3a58593bea5f649eb0d78e7b78
                                                  • Instruction Fuzzy Hash: 7081F174D0824D9ADB14CFA8C8947EEBBB1FF45314F608369F525E62C0D7B98A85CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 262 841c20-841c44 DnsQuery_A 263 841c46-841c59 call 8410f0 262->263 264 841cba-841cc0 262->264 267 841caf-841cb5 DnsFree 263->267 268 841c5b-841c65 263->268 267->264 268->267 269 841c67-841c74 268->269 269->267 270 841c76-841c8d DnsQuery_A 269->270 270->267 271 841c8f-841c99 270->271 272 841ca4-841caa DnsFree 271->272 273 841c9b-841ca1 271->273 272->267 273->272
                                                  APIs
                                                  • DnsQuery_A.DNSAPI(FFFFFFFF,0000000F,00000000,00000000,YAhoO.Com,00000000), ref: 00841C3D
                                                    • Part of subcall function 008410F0: lstrcmpiA.KERNEL32(00000000,?), ref: 0084113C
                                                  • DnsQuery_A.DNSAPI(00000000,00000001,00000000,00000000,?,00000000), ref: 00841C86
                                                  • DnsFree.DNSAPI(?,00000001), ref: 00841CAA
                                                  • DnsFree.DNSAPI(YAhoO.Com,00000001), ref: 00841CB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: FreeQuery_$lstrcmpi
                                                  • String ID: YAhoO.Com
                                                  • API String ID: 2851467242-2780876924
                                                  • Opcode ID: ce8a9f922c182fa40823506e09d3f57a0c6a2ba49647d3fb36a062ee904a83c9
                                                  • Instruction ID: 8a1471e8bcdd5d16594c00ef3ba72abc0fbdc8272b21e3c2e7875ab8f5d50d79
                                                  • Opcode Fuzzy Hash: ce8a9f922c182fa40823506e09d3f57a0c6a2ba49647d3fb36a062ee904a83c9
                                                  • Instruction Fuzzy Hash: 85110D74E40308BBDB14DBA4CC85BADB375FB54710F604698FA10AB2C1DB71AE80D791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 285 841040-841069 286 841074-841078 285->286 287 8410e8-8410ee 286->287 288 84107a-841088 286->288 289 841093-841097 288->289 290 8410b6-8410ba 289->290 291 841099-8410a1 call 841c20 289->291 293 8410e6 290->293 294 8410bc-8410d1 call 841170 290->294 297 8410a6-8410b0 291->297 293->286 294->293 301 8410d3-8410e4 closesocket 294->301 299 8410b4 297->299 300 8410b2 297->300 299->289 300->290 301->287
                                                  APIs
                                                  • closesocket.WS2_32(000000FF), ref: 008410D7
                                                    • Part of subcall function 00841C20: DnsQuery_A.DNSAPI(FFFFFFFF,0000000F,00000000,00000000,YAhoO.Com,00000000), ref: 00841C3D
                                                    • Part of subcall function 00841C20: DnsQuery_A.DNSAPI(00000000,00000001,00000000,00000000,?,00000000), ref: 00841C86
                                                    • Part of subcall function 00841C20: DnsFree.DNSAPI(?,00000001), ref: 00841CAA
                                                    • Part of subcall function 00841C20: DnsFree.DNSAPI(YAhoO.Com,00000001), ref: 00841CB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: FreeQuery_$closesocket
                                                  • String ID: GMaIl.cOM$HOtMaIl.cOM$YAhoO.Com
                                                  • API String ID: 872820492-1204038948
                                                  • Opcode ID: d0d2818c68e4cf9d69f70f14b62e4b5dd070230d8cfda6ad2dff691daeb69449
                                                  • Instruction ID: 66dacd44e9647a22a3ace20c90562b6b8ed577e2a84273d01e318f9f3f357aae
                                                  • Opcode Fuzzy Hash: d0d2818c68e4cf9d69f70f14b62e4b5dd070230d8cfda6ad2dff691daeb69449
                                                  • Instruction Fuzzy Hash: 071103B0D0464DEBCF10DFE4D9486ADBBB0FB05318F208259D521A6280D3755AD9DF92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 317 841170-841190 socket 318 8411d6-8411dc 317->318 319 841192-8411c3 htons connect 317->319 319->318 320 8411c5-8411cf closesocket 319->320 320->318
                                                  APIs
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00841183
                                                  • htons.WS2_32(00841714), ref: 008411A6
                                                  • connect.WS2_32(000000FF,?,00000010), ref: 008411BA
                                                  • closesocket.WS2_32(000000FF), ref: 008411C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: closesocketconnecthtonssocket
                                                  • String ID:
                                                  • API String ID: 3817148366-0
                                                  • Opcode ID: 4bfdc8563acec2edca2b2cbc58b8988ae9482fbbd8b717c64759d15175991509
                                                  • Instruction ID: 0b2195abcf57dae1cbc881c5318ed4a855d043c38abbde386cf969a71c13b43a
                                                  • Opcode Fuzzy Hash: 4bfdc8563acec2edca2b2cbc58b8988ae9482fbbd8b717c64759d15175991509
                                                  • Instruction Fuzzy Hash: A3014B7890030CEBCB10DFA4DA49AADB775BF45320F204348EA25A72D0D7709B40EB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 321 841d60-841d63 322 841d66-841d6d 321->322 323 841d73-841d85 call 841470 322->323 324 841e39-841e41 322->324 327 841d87-841d8f Sleep 323->327 328 841d91-841d98 323->328 327->323 329 841d9a-841da4 328->329 330 841e0b-841e34 call 841470 WaitForSingleObject 328->330 329->330 332 841da6-841de9 call 842f90 call 841cd0 329->332 330->322 337 841dee-841df3 332->337 337->330 338 841df5-841e01 closesocket 337->338 338->330
                                                  APIs
                                                    • Part of subcall function 00841470: InterlockedExchange.KERNEL32(00844018,00841815), ref: 0084147B
                                                  • Sleep.KERNEL32(00000001), ref: 00841D89
                                                  • closesocket.WS2_32(?), ref: 00841DFB
                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 00841E2E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: ExchangeInterlockedObjectSingleSleepWaitclosesocket
                                                  • String ID:
                                                  • API String ID: 2788211337-0
                                                  • Opcode ID: 60bbb1528cf314d2642da9aecdc2255a9f1004ffc7d192549d0022d06808f530
                                                  • Instruction ID: 25a0af1f74cc6220cbccf973dbb51b33fa04b5f30e0ade43957881fbb3978bd9
                                                  • Opcode Fuzzy Hash: 60bbb1528cf314d2642da9aecdc2255a9f1004ffc7d192549d0022d06808f530
                                                  • Instruction Fuzzy Hash: 0911E1BDA00A08DBCB64DBA8FC49B693734FB16705F005219FA12D62D1F7714A64C7A6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 339 842a20-842a4b recv 340 842a51-842a64 339->340 341 842adb-842af6 send 339->341 340->341 342 842a66-842aa5 htons call 841170 340->342 344 842aaa-842ab4 342->344 345 842ab6-842abd 344->345 346 842abf 344->346 347 842ac6-842ad4 345->347 346->347 347->341
                                                  APIs
                                                  • recv.WS2_32(0000004C,?,00000408,00000000), ref: 00842A42
                                                  • htons.WS2_32(00000000), ref: 00842A86
                                                    • Part of subcall function 00841170: socket.WS2_32(00000002,00000001,00000006), ref: 00841183
                                                    • Part of subcall function 00841170: htons.WS2_32(00841714), ref: 008411A6
                                                    • Part of subcall function 00841170: connect.WS2_32(000000FF,?,00000010), ref: 008411BA
                                                    • Part of subcall function 00841170: closesocket.WS2_32(000000FF), ref: 008411C9
                                                  • send.WS2_32(0000004C,?,00000008,00000000), ref: 00842AEA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: htons$closesocketconnectrecvsendsocket
                                                  • String ID:
                                                  • API String ID: 4232559698-0
                                                  • Opcode ID: 9c785e6b6a123bba92d9f708809bec2a44bab41902e85ef902356d1e09ae508d
                                                  • Instruction ID: d9c7629d07657bb133597d14c2d1e750845833cc2c972894e80648bebb7d9046
                                                  • Opcode Fuzzy Hash: 9c785e6b6a123bba92d9f708809bec2a44bab41902e85ef902356d1e09ae508d
                                                  • Instruction Fuzzy Hash: 0521D3B090021CABDB24CF94D9487DD7B79FB84300F20C3B8EA15D76C1D2798A84CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 352 842d51-842dfa recv 354 842e00-842e13 352->354 355 842dfc 352->355 357 842e15-842e28 354->357 358 842e76-842ed6 call 841bc0 354->358 356 842e5a-842e72 355->356 361 842edd-842ef0 356->361 357->356 359 842e2a-842e50 357->359 358->361 359->356 359->361 363 842f57-842f5f 361->363 364 842ef2-842ef6 361->364 365 842f67-842f84 send 363->365 366 842ef8-842f08 364->366 367 842f0a-842f31 htons call 841170 364->367 370 842f55 366->370 372 842f33-842f3a 367->372 373 842f3c 367->373 370->365 374 842f43-842f4e 372->374 373->374 374->370
                                                  APIs
                                                  • recv.WS2_32(?,?,00000104,00000000), ref: 00842DED
                                                  • send.WS2_32(?,00000007,00000006,00000000), ref: 00842F78
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: recvsend
                                                  • String ID:
                                                  • API String ID: 740075404-0
                                                  • Opcode ID: f2f88feae238ac676c5721124704dea977beb3f88f80320ae9d7f92d8356d957
                                                  • Instruction ID: e5090afb6462e96513db521eb2702b90fb2c8a35e345f7dbb76cf71a82d957b0
                                                  • Opcode Fuzzy Hash: f2f88feae238ac676c5721124704dea977beb3f88f80320ae9d7f92d8356d957
                                                  • Instruction Fuzzy Hash: BC01F17490821CDADB10CB98D894BFEB3B0FB04314F604269FA1AD6680D7754AC5CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • inet_addr.WS2_32(00841686), ref: 00841BD1
                                                  • gethostbyname.WS2_32(00841686), ref: 00841BE4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: gethostbynameinet_addr
                                                  • String ID:
                                                  • API String ID: 1594361348-0
                                                  • Opcode ID: 7933b3fdd8854e2bc6dc93db63de84023f7bd7120a37b3354a4d6be7bf904828
                                                  • Instruction ID: 08c021ba266333869162fda7bfc4b53fa58a8f87e1dd8e9a5edcf165982cbb4f
                                                  • Opcode Fuzzy Hash: 7933b3fdd8854e2bc6dc93db63de84023f7bd7120a37b3354a4d6be7bf904828
                                                  • Instruction Fuzzy Hash: 68F0A978D00608EFCB14DFA8D58899DBBB6FF49321F20C2A9E915973A0D7309E80DB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • closesocket.WS2_32(?), ref: 0084182F
                                                    • Part of subcall function 00841D30: setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 00841D4E
                                                  • SetEvent.KERNEL32(?), ref: 008419D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: Eventclosesocketsetsockopt
                                                  • String ID:
                                                  • API String ID: 2457749076-0
                                                  • Opcode ID: a7fdac0fbc6f6fe3a9db0366f0b37c3f6f57ccc7a5134502ef59047fdf0a2a24
                                                  • Instruction ID: 2627abbcb5ad19d48ae99c2106c99d221f263a36fe712a357e00f8405d279859
                                                  • Opcode Fuzzy Hash: a7fdac0fbc6f6fe3a9db0366f0b37c3f6f57ccc7a5134502ef59047fdf0a2a24
                                                  • Instruction Fuzzy Hash: 5011E374E0020C9BDF24CBD4E8697BDBF32FB46349F144029E202E6285E73599D0CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • htons.WS2_32(008422F7), ref: 00842F0F
                                                  • send.WS2_32(?,00000007,00000006,00000000), ref: 00842F78
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: htonssend
                                                  • String ID:
                                                  • API String ID: 1592624528-0
                                                  • Opcode ID: c4c6673603800c561461990e149c8547f80fa0a6f63f30d5cf07bc86998bdfac
                                                  • Instruction ID: dc16ff81034b0e6184822745d26b2d2ce692f3d60d342a765b10eaf135f751e3
                                                  • Opcode Fuzzy Hash: c4c6673603800c561461990e149c8547f80fa0a6f63f30d5cf07bc86998bdfac
                                                  • Instruction Fuzzy Hash: 88F0967590815D86DB148B98D4547FE7770FB04314F6043A9F52AD67C0CA754EC6CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • recv.WS2_32(?,00000000,00000000,00000000), ref: 00841B99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: efdcce615d388abfe68dfb3f557546d92a375889a76b3d5c65fdfb006678f373
                                                  • Instruction ID: 59572dd3870614cde045033da0fe019944fddf1ccd99dc1cd332305c0657aa2f
                                                  • Opcode Fuzzy Hash: efdcce615d388abfe68dfb3f557546d92a375889a76b3d5c65fdfb006678f373
                                                  • Instruction Fuzzy Hash: 05F0B775A0020CEFCF04DFA8C998B9DBBB5FF44315F208189E805A7640E730AB94DB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • send.WS2_32(00000000,00000000,0000001A,00000000), ref: 00841D03
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: send
                                                  • String ID:
                                                  • API String ID: 2809346765-0
                                                  • Opcode ID: 198bafbab4e362899014a92e122b7c34b5960aca5fe34c968309831c68c47d65
                                                  • Instruction ID: 4800dff36052c4375869387b72ea19558737f0727da37a85c6e9da92859373a4
                                                  • Opcode Fuzzy Hash: 198bafbab4e362899014a92e122b7c34b5960aca5fe34c968309831c68c47d65
                                                  • Instruction Fuzzy Hash: 56F0AFB4A00208EBDB10CF84C585B9DBBB5BB46314F20C288E9489B380C775EA85CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • htons.WS2_32(008422F7), ref: 00842F0F
                                                  • send.WS2_32(?,00000007,00000006,00000000), ref: 00842F78
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: htonssend
                                                  • String ID:
                                                  • API String ID: 1592624528-0
                                                  • Opcode ID: f53764a37ea947cc92510eea96b6c80cd9757c74d422724e7e8b1b3f576939cb
                                                  • Instruction ID: 05802ccc91a3556b62056867952bb12e3c8530aff81b645b83d671b32fb59f8e
                                                  • Opcode Fuzzy Hash: f53764a37ea947cc92510eea96b6c80cd9757c74d422724e7e8b1b3f576939cb
                                                  • Instruction Fuzzy Hash: ECF02B3190850C87DB20CB48E890BFE73B0FB04310FA083A9F51AD66C0CA358ECACB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • htons.WS2_32(008422F7), ref: 00842F0F
                                                  • send.WS2_32(?,00000007,00000006,00000000), ref: 00842F78
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: htonssend
                                                  • String ID:
                                                  • API String ID: 1592624528-0
                                                  • Opcode ID: e5f647e441961ecaf5f24884de5e36644a94344b1f063f8c3de00561086945a4
                                                  • Instruction ID: 05802ccc91a3556b62056867952bb12e3c8530aff81b645b83d671b32fb59f8e
                                                  • Opcode Fuzzy Hash: e5f647e441961ecaf5f24884de5e36644a94344b1f063f8c3de00561086945a4
                                                  • Instruction Fuzzy Hash: ECF02B3190850C87DB20CB48E890BFE73B0FB04310FA083A9F51AD66C0CA358ECACB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 00841D4E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: setsockopt
                                                  • String ID:
                                                  • API String ID: 3981526788-0
                                                  • Opcode ID: 569d15e79231ca81af3bcf4c2f945940e23859a81f6f770dcfb37c15e457e90c
                                                  • Instruction ID: 89582af94b5b798fb479490bb857eed9b16d47b1d973bc655be51c0d7a932394
                                                  • Opcode Fuzzy Hash: 569d15e79231ca81af3bcf4c2f945940e23859a81f6f770dcfb37c15e457e90c
                                                  • Instruction Fuzzy Hash: 19D05E78640308BBD724DF84DC42DB97768EB09750F108258BE088B280E6B1AA049790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                    • Part of subcall function 00841A10: GetTempPathA.KERNEL32(00000104,?), ref: 00841A2C
                                                    • Part of subcall function 00841A10: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00841A62
                                                    • Part of subcall function 00841A10: lstrcpyA.KERNEL32(00844028,kilo-torrent.org), ref: 00841AAC
                                                    • Part of subcall function 00841A10: lstrcpyA.KERNEL32(00844068,kilo-torrent.org), ref: 00841ABC
                                                    • Part of subcall function 00841A10: WSAStartup.WS2_32(00000202,?), ref: 00841ACE
                                                    • Part of subcall function 00841A10: wsprintfA.USER32 ref: 00841AEB
                                                    • Part of subcall function 00841A10: CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00841AFC
                                                    • Part of subcall function 00841A10: GetLastError.KERNEL32 ref: 00841B0B
                                                    • Part of subcall function 00841A10: CloseHandle.KERNEL32(00000000), ref: 00841B1C
                                                    • Part of subcall function 00841A10: CreateThread.KERNELBASE(00000000,00000000,00841540,00000000,00000000,00000000), ref: 00841B3E
                                                    • Part of subcall function 00841A10: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00841B51
                                                  • Sleep.KERNELBASE(000000FF), ref: 0084102A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: CloseCreatelstrcpy$ChangeErrorFindHandleInformationLastMutexNotificationPathSleepStartupTempThreadVolumewsprintf
                                                  • String ID:
                                                  • API String ID: 75904360-0
                                                  • Opcode ID: 47af95634f84fda8d80ff58baa2685700da7cbcd929a4744837156cc4791097c
                                                  • Instruction ID: fcb0a8746d7c9a486ee7199cc9c00b714ea6d6fcd4ef7f6083123f1dcbe5ac69
                                                  • Opcode Fuzzy Hash: 47af95634f84fda8d80ff58baa2685700da7cbcd929a4744837156cc4791097c
                                                  • Instruction Fuzzy Hash: C7B0123600566C17C550B39D6C09B05731CA701370F500712743A912D3C98674E49066
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • StrStrIA.SHLWAPI(?,00843160), ref: 008424C1
                                                  • memcpy.NTDLL(?,?,00000000), ref: 008424EC
                                                  • StrStrIA.SHLWAPI(00000000,://), ref: 00842506
                                                  • StrStrIA.SHLWAPI(00000000,00843168), ref: 00842533
                                                  • StrStrIA.SHLWAPI(?,0084316C), ref: 00842547
                                                  • StrStrIA.SHLWAPI(00000000,Proxy-Connection: ,?,0084316C), ref: 00842597
                                                  • lstrcatA.KERNEL32(00000000,00000000,?,0084316C), ref: 008425B4
                                                  • lstrcatA.KERNEL32(00000000,-00000006,?,0084316C), ref: 008425C5
                                                  • lstrcatA.KERNEL32(00000000,00000000,?,0084316C), ref: 008425D5
                                                  • StrStrIA.SHLWAPI(?,00843184,?,0084316C), ref: 008425EC
                                                  • StrToIntA.SHLWAPI(-00000001,?,00843184,?,0084316C), ref: 00842608
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: lstrcat$memcpy
                                                  • String ID: ://$Proxy-Connection:
                                                  • API String ID: 4077682737-1088596629
                                                  • Opcode ID: eed702a348e4ab6a3142885ffd18595a3a0a36a284297587bb820b7a1dab59e8
                                                  • Instruction ID: 8feef99dfaf3e6e7abd232cb5f75ad1c2738fba931f8d915de7aed1f86d9ec6b
                                                  • Opcode Fuzzy Hash: eed702a348e4ab6a3142885ffd18595a3a0a36a284297587bb820b7a1dab59e8
                                                  • Instruction Fuzzy Hash: DE51B678904249EFCB05CFA8D998BAEBBB5FF59304F248658E915A7350C774AA40CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • _chkstk.NTDLL(?,00842384,00000000,?,?), ref: 00842628
                                                    • Part of subcall function 00841490: StrStrIA.SHLWAPI(00000000,), ref: 008414A6
                                                  • send.WS2_32(00000000,HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request,0000003F,00000000), ref: 00842681
                                                    • Part of subcall function 008424A0: StrStrIA.SHLWAPI(?,00843160), ref: 008424C1
                                                    • Part of subcall function 008424A0: memcpy.NTDLL(?,?,00000000), ref: 008424EC
                                                    • Part of subcall function 008424A0: StrStrIA.SHLWAPI(00000000,://), ref: 00842506
                                                    • Part of subcall function 008424A0: StrStrIA.SHLWAPI(00000000,00843168), ref: 00842533
                                                    • Part of subcall function 008424A0: StrStrIA.SHLWAPI(?,0084316C), ref: 00842547
                                                    • Part of subcall function 008424A0: StrStrIA.SHLWAPI(00000000,Proxy-Connection: ,?,0084316C), ref: 00842597
                                                    • Part of subcall function 008424A0: lstrcatA.KERNEL32(00000000,00000000,?,0084316C), ref: 008425B4
                                                    • Part of subcall function 008424A0: lstrcatA.KERNEL32(00000000,-00000006,?,0084316C), ref: 008425C5
                                                    • Part of subcall function 008424A0: StrStrIA.SHLWAPI(?,00843184,?,0084316C), ref: 008425EC
                                                  • send.WS2_32(000000FF,HTTP/1.0 502 Bad GatewayContent-Length: 15502 Bad Gateway,0000003F,00000000), ref: 008426C8
                                                  • lstrlenA.KERNEL32(?,00000000), ref: 008426E2
                                                  • send.WS2_32(000000FF,?,00000000), ref: 008426F4
                                                  Strings
                                                  • HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request, xrefs: 00842678
                                                  • HTTP/1.0 502 Bad GatewayContent-Length: 15502 Bad Gateway, xrefs: 008426BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: send$lstrcat$_chkstklstrlenmemcpy
                                                  • String ID: HTTP/1.0 400 Bad RequestContent-Length: 15400 Bad Request$HTTP/1.0 502 Bad GatewayContent-Length: 15502 Bad Gateway
                                                  • API String ID: 3621726142-1422229110
                                                  • Opcode ID: 5ac2120ba16e427d779bf5dd935a7d6af38889ebd871c4c502a3e17b05cea883
                                                  • Instruction ID: 6fd0afe4310ee16cd78f14821c0703fa397d82ef09a59258e5e7241d6419bf60
                                                  • Opcode Fuzzy Hash: 5ac2120ba16e427d779bf5dd935a7d6af38889ebd871c4c502a3e17b05cea883
                                                  • Instruction Fuzzy Hash: A1215E7590020DBBCB14DF98DC45AEEB7B8FB18310F104658FA25E7280E774AB44DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • wsprintfA.USER32 ref: 00842B1A
                                                  • send.WS2_32(?,00000005,00000002,00000000), ref: 00842B40
                                                  • recv.WS2_32(?,?,00000001,00000000), ref: 00842B52
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: recvsendwsprintf
                                                  • String ID:
                                                  • API String ID: 2338285716-0
                                                  • Opcode ID: d0d2c224890d79869bedb962da7ab64088cfe91cf49701922dabc7f133bbd3b9
                                                  • Instruction ID: 86ef93207c8d9ca5a6042a60297f9b226da49956dc2691bdaf7f794554604fa9
                                                  • Opcode Fuzzy Hash: d0d2c224890d79869bedb962da7ab64088cfe91cf49701922dabc7f133bbd3b9
                                                  • Instruction Fuzzy Hash: 16516CB5D0824DFACB04CBA4C895BEEBBB5FF49305F548999F501E6280E3759744CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • wsprintfA.USER32 ref: 00842731
                                                  • StrStrIA.SHLWAPI(?,Proxy-Authorization: Basic ), ref: 00842760
                                                  • StrStrIA.SHLWAPI(?,0084322C), ref: 00842786
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.3395913884.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true
                                                  • Associated: 00000000.00000002.3395898852.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395977393.0000000000843000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.3395990553.0000000000845000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_840000_WtRLqa6ZXn.jbxd
                                                  Similarity
                                                  • API ID: wsprintf
                                                  • String ID: %u:%u$Proxy-Authorization: Basic
                                                  • API String ID: 2111968516-3249395766
                                                  • Opcode ID: d3794bfc641a5297b8a28c3b31fbc8ba9a248fbcf5b6c8e07a7ad6b5f9fd63c7
                                                  • Instruction ID: 90a71963795557f7969e4a321f116cdad02ccc20619f190cd9f7a840a351a070
                                                  • Opcode Fuzzy Hash: d3794bfc641a5297b8a28c3b31fbc8ba9a248fbcf5b6c8e07a7ad6b5f9fd63c7
                                                  • Instruction Fuzzy Hash: 3F31D579D0420CEBCB04DFA4D885AAEBBB5FB44304F508658F515A7240E774AB84CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%