Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583470
MD5:	1d286b861d4b283bb79330b61d18fc26
SHA1:	ab6515e058793efbc59de100fed80d7a2714d205
SHA256:	4cbc414d046f0cb106ec1cbc8753c47f5146a9942115324b80be4503ac98ff40
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found decision node followed by non-executed suspicious APIs

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

svchost.exe (PID: 6156 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 3216 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 4468 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5644 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

file.exe (PID: 2028 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1D286B861D4B283BB79330B61D18FC26)

Systemhqe.exe (PID: 4764 cmdline: C:\Windows\Systemhqe.exe MD5: 1D286B861D4B283BB79330B61D18FC26)

svchost.exe (PID: 7044 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 1940 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 2184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6156, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\Systemhqe.exe

Avira: detection malicious, Label: HEUR/AGEN.1342186

Multi AV Scanner detection for dropped file

Source: C:\Windows\Systemhqe.exe

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Windows\Systemhqe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: global traffic

TCP traffic: 192.168.2.11:49708 -> 205.185.126.56:5388

Source: global traffic

TCP traffic: 192.168.2.11:60241 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00403FFB strcpy,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strcpy,GetSystemInfo,Sleep,sprintf,strlen,send,closesocket,select,__WSAFDIsSet,recv,memcpy,memcpy,memcpy,CreateThread,memcpy,CreateThread,closesocket,

4_2_00403FFB

Source: global traffic	DNS traffic detected: DNS query: zzz.hnyzh.co
Source: global traffic	DNS traffic detected: DNS query: o.ry52cc.cn
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: file.exe, Systemhqe.exe.4.dr	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: svchost.exe, 00000000.00000002.1371779391.000002AFC1813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: file.exe, Systemhqe.exe.4.dr	String found in binary or memory: http://www.google.com/bot.html)
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1371217754.000002AFC186E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371331774.000002AFC185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371397098.000002AFC185A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372001100.000002AFC1870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1371217754.000002AFC186E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372001100.000002AFC1870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1371983018.000002AFC1868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371273738.000002AFC1867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1372017860.000002AFC1877000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371170648.000002AFC1875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371397098.000002AFC185A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1371983018.000002AFC1868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371273738.000002AFC1867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1371873137.000002AFC1842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000002.1371894849.000002AFC1855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371197643.000002AFC1851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv
Source: svchost.exe, 00000000.00000003.1371153238.000002AFC1833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371873137.000002AFC1842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1372001100.000002AFC1870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1371153238.000002AFC1833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1371983018.000002AFC1868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371273738.000002AFC1867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1371366046.000002AFC185D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Systemhqe.exe			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Systemhqe.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.evad.winEXE@10/3@22/1

Source: C:\Users\user\Desktop\file.exe

Code function: GetModuleFileNameA,LoadLibraryA,GetProcAddress,strlen,strncmp,wsprintfA,strcat,strcat,CopyFileA,memset,strcpy,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,strcpy,strcat,RegOpenKeyA,lstrlenA,RegSetValueExA,

4_2_004048A6

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0040484B StartServiceCtrlDispatcherA,

4_2_0040484B

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0040484B StartServiceCtrlDispatcherA,

4_2_0040484B

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:2184:120:WilError_03

Source: C:\Program Files\Windows Defender\MpCmdRun.exe

File created: C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\MpCmdRun.log

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Windows\Systemhqe.exe C:\Windows\Systemhqe.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Systemhqe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004048A6 GetModuleFileNameA,LoadLibraryA,GetProcAddress,strlen,strncmp,wsprintfA,strcat,strcat,CopyFileA,memset,strcpy,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,strcpy,strcat,RegOpenKeyA,lstrlenA,RegSetValueExA,

4_2_004048A6

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00405D20 push eax; ret

4_2_00405D4E

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\Systemhqe.exe

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Systemhqe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Systemhqe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phqghumeay

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_0040484B StartServiceCtrlDispatcherA,

4_2_0040484B

Hooking and other Techniques for Hiding and Protection

Moves itself to temp directory

Source: c:\users\user\desktop\file.exe

File moved: C:\Users\user\AppData\Local\Temp\4bc0324

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Systemhqe.exe

Thread delayed: delay time: 480000

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_4-1262

Source: C:\Windows\Systemhqe.exe TID: 6588	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\Systemhqe.exe TID: 7124	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\Systemhqe.exe TID: 6588	Thread sleep count: 36 > 30	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_004050D7 GetSystemInfo,??2@YAPAXI@Z,memset,memcpy,

4_2_004050D7

Source: C:\Windows\Systemhqe.exe

Thread delayed: delay time: 480000

Jump to behavior

Source: svchost.exe, 00000003.00000002.2532257010.0000019749664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000003.00000002.2532081718.000001974962B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000003.00000002.2532257010.0000019749683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000003.00000002.2531873133.0000019749602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000003.00000002.2532323364.0000019749690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Systemhqe.exe, 00000005.00000002.2532048616.00000000004EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~

Source: C:\Users\user\Desktop\file.exe

4_2_004048A6

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

Source: svchost.exe, 00000006.00000002.2532187188.000001E96CF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.2532187188.000001E96CF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	14 Windows Service	14 Windows Service	22 Masquerading	OS Credential Dumping	141 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	89%	ReversingLabs	Win32.Backdoor.Farfli
file.exe	100%	Avira	HEUR/AGEN.1342186
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Systemhqe.exe	100%	Avira	HEUR/AGEN.1342186
C:\Windows\Systemhqe.exe	100%	Joe Sandbox ML
C:\Windows\Systemhqe.exe	89%	ReversingLabs	Win32.Backdoor.Farfli

Source	Detection	Scanner	Label	Link
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
zzz.hnyzh.co	205.185.126.56	true	false	unknown
o.ry52cc.cn	unknown	unknown	true	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.baidu.com/search/spider.html)	file.exe, Systemhqe.exe.4.dr	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000000.00000003.1371366046.000002AFC185D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000000.00000002.1371983018.000002AFC1868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371273738.000002AFC1867000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.google.com/bot.html)	file.exe, Systemhqe.exe.4.dr	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000000.00000002.1372017860.000002AFC1877000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371170648.000002AFC1875000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000000.00000002.1371983018.000002AFC1868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371273738.000002AFC1867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000000.00000002.1371873137.000002AFC1842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000000.00000003.1371153238.000002AFC1833000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000003.1371217754.000002AFC186E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371331774.000002AFC185F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371397098.000002AFC185A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372001100.000002AFC1870000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000000.00000002.1371873137.000002AFC1842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371427961.000002AFC1841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv	svchost.exe, 00000000.00000002.1371894849.000002AFC1855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371197643.000002AFC1851000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000000.00000002.1372001100.000002AFC1870000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000000.00000002.1371779391.000002AFC1813000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000000.00000003.1371445023.000002AFC1857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371916101.000002AFC1858000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371397098.000002AFC185A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371304421.000002AFC1862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371962166.000002AFC1863000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000002.1371983018.000002AFC1868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371273738.000002AFC1867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1371828418.000002AFC182B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000000.00000003.1371217754.000002AFC186E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372001100.000002AFC1870000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000000.00000003.1371153238.000002AFC1833000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
205.185.126.56	zzz.hnyzh.co	United States		53667	PONYNETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583470
Start date and time:	2025-01-02 20:19:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal96.evad.winEXE@10/3@22/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 13.85.23.206, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:20:47	API Interceptor	1x Sleep call for process: Systemhqe.exe modified
14:21:47	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
205.185.126.56	lx64.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zzz.hnyzh.co	lx64.elf	Get hash	malicious	Unknown	Browse	205.185.126.56

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PONYNETUS	file.exe	Get hash	malicious	GhostRat, Nitol	Browse	198.98.57.188
	lx64.elf	Get hash	malicious	Unknown	Browse	205.185.126.56
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	198.251.89.144
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	209.141.47.117
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	107.189.14.43
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	104.244.76.24
	Clienter.dll.dll	Get hash	malicious	Unknown	Browse	107.189.1.9
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	198.251.84.200
	vpn.exe	Get hash	malicious	Metasploit	Browse	209.141.35.225
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	144.172.104.27

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2501973772062245
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rN+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxwB:FaqdF7N+AAHdKoqKFxcxkFd
MD5:	C9ED6941532424998DB17DB224843589
SHA1:	2A4E9D2E9871F91C2E62667520530D0C841FAE3A
SHA-256:	6C6A69C21612C2118A10EDA058F4E96A4FC6F53F3CB72B3E9E4ED6E316402E47
SHA-512:	9EF4EB3E4E85E314826470E0E4D487AC1AAD34FC463EF8E9B5F1E33DF04F6B3D632536E08F02D9EC44E41F460E537B5E6F81BCA1C5869FB7A42717A984953319
Malicious:	false
Reputation:	low
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.a.n. .. 0.2. .. 2.0.2.5. .1.4.:.2.1.:.4.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\Systemhqe.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	5.194063470375111
Encrypted:	false
SSDEEP:	768:SkqlrK5isV2AKTVV15bRjeK3gRJg6Dm/u5HfquaVwsaVwCx:xKIYApC6C/4/zaVwsaVwCx
MD5:	1D286B861D4B283BB79330B61D18FC26
SHA1:	AB6515E058793EFBC59DE100FED80D7A2714D205
SHA-256:	4CBC414D046F0CB106EC1CBC8753C47F5146A9942115324B80BE4503AC98FF40
SHA-512:	0ADA866040CE21E78732FA9A1AA9ED1E81F43E713FDE38EAE5C7034F9CDA412A35BB7D8CAE66829F42F3A4C0082722787E8F55F7155E9142D6AE3935ACFAD30B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..!l..!l..!l..Zp.. l..p..#l..Ns..l..Ns..#l...c..l..!l..~l...s.."l..Rich!l..........PE..L...4[^Y.................P...0.......].......`....@..........................................................................a.......................................................................................`...............................text...$O.......P.................. ..`.rdata.......`.......`..............@..@.data........p... ...p..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Systemhqe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.194063470375111
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	36'864 bytes
MD5:	1d286b861d4b283bb79330b61d18fc26
SHA1:	ab6515e058793efbc59de100fed80d7a2714d205
SHA256:	4cbc414d046f0cb106ec1cbc8753c47f5146a9942115324b80be4503ac98ff40
SHA512:	0ada866040ce21e78732fa9a1aa9ed1e81f43e713fde38eae5c7034f9cda412a35bb7d8cae66829f42f3a4c0082722787e8f55f7155e9142d6ae3935acfad30b
SSDEEP:	768:SkqlrK5isV2AKTVV15bRjeK3gRJg6Dm/u5HfquaVwsaVwCx:xKIYApC6C/4/zaVwsaVwCx
TLSH:	8CF24A52BA0794A6E59300F4246AFBFFD9A3ACB9068EE45BFFC05D042674144F23620F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!l..!l..!l..Zp.. l...p..#l..Ns..l..Ns..#l...c..l..!l..~l...s.."l..Rich!l..........PE..L...4[^Y.................P...0.....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x405d98
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x595E5B34 [Thu Jul 6 15:45:56 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b417d74ecba642ca8eceadf01d18afc0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004061E8h
push 00405D50h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004060B8h]
pop ecx
or dword ptr [00408574h], FFFFFFFFh
or dword ptr [00408578h], FFFFFFFFh
call dword ptr [004060C0h]
mov ecx, dword ptr [00408570h]
mov dword ptr [eax], ecx
call dword ptr [004060C4h]
mov ecx, dword ptr [0040856Ch]
mov dword ptr [eax], ecx
mov eax, dword ptr [004060C8h]
mov eax, dword ptr [eax]
mov dword ptr [0040857Ch], eax
call 00007FD5A0E74575h
cmp dword ptr [004084E0h], ebx
jne 00007FD5A0E7446Eh
push 00405F14h
call dword ptr [004060CCh]
pop ecx
call 00007FD5A0E74547h
push 0040700Ch
push 00407008h
call 00007FD5A0E74532h
mov eax, dword ptr [00408568h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00408564h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004060D4h]
push 00407004h
push 00407000h
call 00007FD5A0E744FFh

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x61f4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4f24	0x5000	473050cc994b7ebb5204af8da53aa950	False	0.384912109375	data	5.976631766130226	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x8f0	0x1000	e9d815d08c8b4dc9cbc16893a6526eac	False	0.2783203125	data	3.2178513504818738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7000	0x1580	0x2000	de1f64b96b21db6012583432bdb21ac4	False	0.1031494140625	Matlab v4 mat-file (little endian) Eliminate small Japanese, numeric, rows 0, columns 0	3.7656788523032363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.dll	MoveFileA, GetTempPathA, GetModuleFileNameA, lstrlenA, MoveFileExA, GlobalMemoryStatus, GetModuleHandleA, GetStartupInfoA, WaitForSingleObject, GetSystemInfo, CreateThread, CreateProcessA, GetFileAttributesA, GetLastError, LoadLibraryA, GetProcAddress, FreeLibrary, CreateFileA, WriteFile, CloseHandle, ExitThread, Sleep, GetCurrentProcessId, CopyFileA, GetTickCount
USER32.dll	MessageBoxA, wsprintfA
ADVAPI32.dll	CreateServiceA, ChangeServiceConfig2A, UnlockServiceDatabase, OpenServiceA, StartServiceA, RegSetValueExA, CloseServiceHandle, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, SetServiceStatus, RegOpenKeyExA, RegOpenKeyA, RegQueryValueExA, RegCloseKey, OpenSCManagerA, LockServiceDatabase
WS2_32.dll	select, __WSAFDIsSet, recv, WSAIoctl, send, WSAStartup, WSASocketA, WSAGetLastError, setsockopt, htonl, sendto, WSACleanup, gethostbyname, socket, htons, connect, closesocket, inet_addr
MSVCRT.dll	strlen, strcat, _controlfp, __set_app_type, strcpy, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _iob, malloc, free, rand, sprintf, memset, printf, fprintf, memcpy, _except_handler3, _local_unwind2, strstr, ??3@YAXPAX@Z, strrchr, ??2@YAPAXI@Z, strncmp
iphlpapi.dll	GetIfTable

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:20:49.223403931 CET	49708	5388	192.168.2.11	205.185.126.56
Jan 2, 2025 20:20:49.228279114 CET	5388	49708	205.185.126.56	192.168.2.11
Jan 2, 2025 20:20:49.228374004 CET	49708	5388	192.168.2.11	205.185.126.56
Jan 2, 2025 20:20:52.240909100 CET	49708	5388	192.168.2.11	205.185.126.56
Jan 2, 2025 20:20:52.245640993 CET	5388	49708	205.185.126.56	192.168.2.11
Jan 2, 2025 20:21:06.420074940 CET	5388	49708	205.185.126.56	192.168.2.11
Jan 2, 2025 20:21:06.475241899 CET	49708	5388	192.168.2.11	205.185.126.56
Jan 2, 2025 20:21:20.357697964 CET	60241	53	192.168.2.11	162.159.36.2
Jan 2, 2025 20:21:20.362468958 CET	53	60241	162.159.36.2	192.168.2.11
Jan 2, 2025 20:21:20.365755081 CET	60241	53	192.168.2.11	162.159.36.2
Jan 2, 2025 20:21:20.370877028 CET	53	60241	162.159.36.2	192.168.2.11
Jan 2, 2025 20:21:20.812886953 CET	60241	53	192.168.2.11	162.159.36.2
Jan 2, 2025 20:21:20.817842007 CET	53	60241	162.159.36.2	192.168.2.11
Jan 2, 2025 20:21:20.817895889 CET	60241	53	192.168.2.11	162.159.36.2
Jan 2, 2025 20:21:36.421344042 CET	5388	49708	205.185.126.56	192.168.2.11
Jan 2, 2025 20:21:36.475385904 CET	49708	5388	192.168.2.11	205.185.126.56
Jan 2, 2025 20:22:06.421161890 CET	5388	49708	205.185.126.56	192.168.2.11
Jan 2, 2025 20:22:06.475543022 CET	49708	5388	192.168.2.11	205.185.126.56
Jan 2, 2025 20:22:36.419998884 CET	5388	49708	205.185.126.56	192.168.2.11
Jan 2, 2025 20:22:36.475615025 CET	49708	5388	192.168.2.11	205.185.126.56

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:20:48.601028919 CET	53654	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:20:48.696314096 CET	50263	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:20:48.705873966 CET	53	50263	1.1.1.1	192.168.2.11
Jan 2, 2025 20:20:49.218978882 CET	53	53654	1.1.1.1	192.168.2.11
Jan 2, 2025 20:20:55.352005959 CET	51703	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:20:55.377892017 CET	53	51703	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:02.102098942 CET	59481	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:02.115571022 CET	53	59481	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:08.773998976 CET	64943	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:08.784151077 CET	53	64943	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:15.430284023 CET	64889	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:15.455658913 CET	53	64889	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:20.357094049 CET	53	59194	162.159.36.2	192.168.2.11
Jan 2, 2025 20:21:20.821970940 CET	57110	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:20.829793930 CET	53	57110	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:22.570935011 CET	65247	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:22.580282927 CET	53	65247	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:25.899729967 CET	60884	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:25.909254074 CET	53	60884	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:32.680147886 CET	60139	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:32.689306974 CET	53	60139	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:39.336519003 CET	64159	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:39.638465881 CET	53	64159	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:46.291868925 CET	58737	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:46.302236080 CET	53	58737	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:52.946280956 CET	51782	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:52.955610037 CET	53	51782	1.1.1.1	192.168.2.11
Jan 2, 2025 20:21:59.602466106 CET	59345	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:21:59.627707005 CET	53	59345	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:06.290801048 CET	57133	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:06.298062086 CET	53	57133	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:12.946028948 CET	54486	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:12.953679085 CET	53	54486	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:19.617954969 CET	56184	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:19.626976967 CET	53	56184	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:26.274177074 CET	58284	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:26.281150103 CET	53	58284	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:32.930862904 CET	64694	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:32.940725088 CET	53	64694	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:39.650152922 CET	60608	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:39.948765993 CET	53	60608	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:46.602583885 CET	55016	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:46.612684965 CET	53	55016	1.1.1.1	192.168.2.11
Jan 2, 2025 20:22:53.261293888 CET	55142	53	192.168.2.11	1.1.1.1
Jan 2, 2025 20:22:53.532092094 CET	53	55142	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:20:48.601028919 CET	192.168.2.11	1.1.1.1	0x81d7	Standard query (0)	zzz.hnyzh.co	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:20:48.696314096 CET	192.168.2.11	1.1.1.1	0xc8dd	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:20:55.352005959 CET	192.168.2.11	1.1.1.1	0x4a2d	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:02.102098942 CET	192.168.2.11	1.1.1.1	0xa36b	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:08.773998976 CET	192.168.2.11	1.1.1.1	0xfd0d	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:15.430284023 CET	192.168.2.11	1.1.1.1	0xe5ac	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:20.821970940 CET	192.168.2.11	1.1.1.1	0x277a	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 2, 2025 20:21:22.570935011 CET	192.168.2.11	1.1.1.1	0x7d87	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:25.899729967 CET	192.168.2.11	1.1.1.1	0xa8b2	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:32.680147886 CET	192.168.2.11	1.1.1.1	0x465e	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:39.336519003 CET	192.168.2.11	1.1.1.1	0xb4e8	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:46.291868925 CET	192.168.2.11	1.1.1.1	0x8626	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:52.946280956 CET	192.168.2.11	1.1.1.1	0x21	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:59.602466106 CET	192.168.2.11	1.1.1.1	0x47c0	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:06.290801048 CET	192.168.2.11	1.1.1.1	0x2f11	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:12.946028948 CET	192.168.2.11	1.1.1.1	0x6bb0	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:19.617954969 CET	192.168.2.11	1.1.1.1	0x57d	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:26.274177074 CET	192.168.2.11	1.1.1.1	0x6500	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:32.930862904 CET	192.168.2.11	1.1.1.1	0xd39c	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:39.650152922 CET	192.168.2.11	1.1.1.1	0xcb38	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:46.602583885 CET	192.168.2.11	1.1.1.1	0x5af	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:53.261293888 CET	192.168.2.11	1.1.1.1	0x7963	Standard query (0)	o.ry52cc.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:20:48.705873966 CET	1.1.1.1	192.168.2.11	0xc8dd	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:20:49.218978882 CET	1.1.1.1	192.168.2.11	0x81d7	No error (0)	zzz.hnyzh.co		205.185.126.56	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:20:55.377892017 CET	1.1.1.1	192.168.2.11	0x4a2d	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:02.115571022 CET	1.1.1.1	192.168.2.11	0xa36b	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:08.784151077 CET	1.1.1.1	192.168.2.11	0xfd0d	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:15.455658913 CET	1.1.1.1	192.168.2.11	0xe5ac	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:20.829793930 CET	1.1.1.1	192.168.2.11	0x277a	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 2, 2025 20:21:22.580282927 CET	1.1.1.1	192.168.2.11	0x7d87	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:25.909254074 CET	1.1.1.1	192.168.2.11	0xa8b2	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:32.689306974 CET	1.1.1.1	192.168.2.11	0x465e	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:39.638465881 CET	1.1.1.1	192.168.2.11	0xb4e8	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:46.302236080 CET	1.1.1.1	192.168.2.11	0x8626	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:52.955610037 CET	1.1.1.1	192.168.2.11	0x21	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:21:59.627707005 CET	1.1.1.1	192.168.2.11	0x47c0	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:06.298062086 CET	1.1.1.1	192.168.2.11	0x2f11	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:12.953679085 CET	1.1.1.1	192.168.2.11	0x6bb0	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:19.626976967 CET	1.1.1.1	192.168.2.11	0x57d	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:26.281150103 CET	1.1.1.1	192.168.2.11	0x6500	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:32.940725088 CET	1.1.1.1	192.168.2.11	0xd39c	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:39.948765993 CET	1.1.1.1	192.168.2.11	0xcb38	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:46.612684965 CET	1.1.1.1	192.168.2.11	0x5af	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:22:53.532092094 CET	1.1.1.1	192.168.2.11	0x7963	Name error (3)	o.ry52cc.cn	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:20:46
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:20:46
Start date:	02/01/2025
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff730b30000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:20:46
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:20:46
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:20:47
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	36'864 bytes
MD5 hash:	1D286B861D4B283BB79330B61D18FC26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:20:47
Start date:	02/01/2025
Path:	C:\Windows\Systemhqe.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Systemhqe.exe
Imagebase:	0x400000
File size:	36'864 bytes
MD5 hash:	1D286B861D4B283BB79330B61D18FC26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	14:20:47
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:21:47
Start date:	02/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff632d80000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:21:47
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	380
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004048A6 Relevance: 56.3, APIs: 26, Strings: 6, Instructions: 297
stringserviceregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,00000000,00405D50,004061B0,000000FF,?,00404896,phqghumeay,lnlfdxfircvscxggbwkf,nqduxwfnfozvsrtkjprepggxrpnrvy,00405ECC), ref: 004048DA
LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 0040497F
GetProcAddress.KERNEL32(00000000), ref: 00404986
strlen.MSVCRT ref: 004049AB
strncmp.MSVCRT ref: 004049C2
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00404AAB

Part of subcall function 0040111D: GetTickCount.KERNEL32 ref: 00401123
Part of subcall function 0040111D: rand.MSVCRT ref: 0040112C

wsprintfA.USER32 ref: 00404A08
strcat.MSVCRT(?,004084B4), ref: 00404A1D
strcat.MSVCRT(?,?), ref: 00404A33
CopyFileA.KERNEL32(?,?,00000000), ref: 00404A4B
memset.MSVCRT ref: 00404A5F
strcpy.MSVCRT(?,?), ref: 00404A75
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404AF3
LockServiceDatabase.ADVAPI32(00000000), ref: 00404B06
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,Ys@), ref: 00404B2C
ChangeServiceConfig2A.ADVAPI32(00000000,00000002,00015180), ref: 00404BD6
UnlockServiceDatabase.ADVAPI32(?), ref: 00404BE3
GetLastError.KERNEL32 ref: 00404BF2
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00404C0F
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00404C34
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00404C45
strcpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services\), ref: 00404D57
strcat.MSVCRT(?,?), ref: 00404D6A
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00404D85
lstrlenA.KERNEL32(?), ref: 00404DE3
RegSetValueExA.KERNELBASE(?,Description,00000000,00000001,?,00000000), ref: 00404E00

Strings

KERNEL32.dll, xrefs: 0040497A
GetWindowsDirectoryA, xrefs: 00404973, 00404979
System%c%c%c.exe, xrefs: 004049FC
SYSTEM\CurrentControlSet\Services\, xrefs: 00404D49, 00404D4F
Description, xrefs: 00404DF2, 00404DF8
Ys@, xrefs: 00404B1C, 00404B22

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: Service$Openstrcat$ChangeConfig2DatabaseFileStartstrcpy$AddressCopyCountCreateErrorLastLibraryLoadLockManagerModuleNameProcTickUnlockValuelstrlenmemsetrandstrlenstrncmpwsprintf
String ID: Description$GetWindowsDirectoryA$KERNEL32.dll$SYSTEM\CurrentControlSet\Services\$System%c%c%c.exe$Ys@
API String ID: 1037263667-1422571387
Opcode ID: eb6b3fee18de0f0e618686b07eef1114f718871ed6bee7923be9032beb08f327
Instruction ID: ddc84bb5c17fb71005d3a5cbce47219748127c7e894e54b94b796417c92abd28
Opcode Fuzzy Hash: eb6b3fee18de0f0e618686b07eef1114f718871ed6bee7923be9032beb08f327
Instruction Fuzzy Hash: 4DE14370D482A8DFEB22CB54DC48BDDBAB86B15704F0441D9E24D7A281C7BA1B94CF65

Function 0040484B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404E68: strcpy.MSVCRT(00000000,SYSTEM\CurrentControlSet\Services\), ref: 00404F22
Part of subcall function 00404E68: strcat.MSVCRT(00000000,phqghumeay), ref: 00404F36
Part of subcall function 00404E68: RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00404F55
Part of subcall function 00404E68: RegCloseKey.ADVAPI32(?), ref: 00404F63

StartServiceCtrlDispatcherA.ADVAPI32(phqghumeay), ref: 0040487A

Strings

phqghumeay, xrefs: 0040485A, 00404879, 0040488C
nqduxwfnfozvsrtkjprepggxrpnrvy, xrefs: 00404882
lnlfdxfircvscxggbwkf, xrefs: 00404887

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: CloseCtrlDispatcherOpenServiceStartstrcatstrcpy
String ID: lnlfdxfircvscxggbwkf$nqduxwfnfozvsrtkjprepggxrpnrvy$phqghumeay
API String ID: 2081903712-1593379540
Opcode ID: 2397be007853676a9c839841e75d704087819706b2e0ecf1d7acc8175c7d6505
Instruction ID: f7d1596815c9f2c29b49f9ed5aa28e433b9c94b8e93ee437271dc918a615f366
Opcode Fuzzy Hash: 2397be007853676a9c839841e75d704087819706b2e0ecf1d7acc8175c7d6505
Instruction Fuzzy Hash: C3E0E5B2C04209A6E700FBA18D0676E77646B80308F04887E9E00B61C1D7BCA114E7AB

Function 00405D98 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00405DC5
__p__fmode.MSVCRT ref: 00405DDA
__p__commode.MSVCRT ref: 00405DE8
__setusermatherr.MSVCRT ref: 00405E14
_initterm.MSVCRT ref: 00405E2A
__getmainargs.MSVCRT ref: 00405E4D
_initterm.MSVCRT ref: 00405E5D
GetStartupInfoA.KERNEL32(?), ref: 00405E9C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00405EC0
exit.KERNELBASE ref: 00405ED0
_XcptFilter.MSVCRT ref: 00405EE2

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: b3dcb3d3aed725f02c53b639a1312d7d12e19c6bf4e79c04ef18bd16b7187e4d
Instruction ID: e9b0533161edfca8b3dd4721171a4ba11c5300663186981a96dc1615ed8767ad
Opcode Fuzzy Hash: b3dcb3d3aed725f02c53b639a1312d7d12e19c6bf4e79c04ef18bd16b7187e4d
Instruction Fuzzy Hash: E9416F71844748AFDB20DFA4DE45AAA7BB8EB09710F20413FE586B72D1C7785941CF98

Function 00404546 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040455D
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00404573
GetTempPathA.KERNEL32(00000104,?), ref: 00404585
GetTickCount.KERNEL32 ref: 0040458B
wsprintfA.USER32 ref: 004045A8
MoveFileA.KERNEL32(?,?), ref: 004045BF
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004045D4
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004045EC

Strings

%s\%x, xrefs: 0040459C

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: File$Move$CountModuleNamePathTempTickmemsetwsprintf
String ID: %s\%x
API String ID: 3964544435-1694672422
Opcode ID: 673b0e1fedb8b576c61018b2bad397bf048ae2f60d28b5862c6f6fbd29d78fa5
Instruction ID: 5aa0d96a0a9caca7480b2414c1bdb656ca4030205114700bc37be99f7d342fca
Opcode Fuzzy Hash: 673b0e1fedb8b576c61018b2bad397bf048ae2f60d28b5862c6f6fbd29d78fa5
Instruction Fuzzy Hash: D911D6F5550208ABE720EB60DE8AFDA77BCDB04700F0045A5B70AF50D2EAB897948F65

Function 00404E68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT(00000000,SYSTEM\CurrentControlSet\Services\), ref: 00404F22
strcat.MSVCRT(00000000,phqghumeay), ref: 00404F36
RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00404F55
RegCloseKey.ADVAPI32(?), ref: 00404F63

Strings

phqghumeay, xrefs: 00404F2A
SYSTEM\CurrentControlSet\Services\, xrefs: 00404F17, 00404F1A

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: CloseOpenstrcatstrcpy
String ID: SYSTEM\CurrentControlSet\Services\$phqghumeay
API String ID: 1717706559-1320492464
Opcode ID: 76d0650641b108a4a7024a2f66b41af03be49d1c5224f0d947ccd3954d1eecef
Instruction ID: a811d08a4cecba0c06c52649d059b88623e00b80f6672d41c2df3e9dcb829d50
Opcode Fuzzy Hash: 76d0650641b108a4a7024a2f66b41af03be49d1c5224f0d947ccd3954d1eecef
Instruction Fuzzy Hash: A931FF10D0C6C9D9EB02C2A8C8097EEBFB54B26349F0840D9D6847A282D7FE575887B6

Function 00404E14 Relevance: 4.5, APIs: 3, Instructions: 16
serviceregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseServiceHandle.ADVAPI32(00000000,00404E12), ref: 00404E24
CloseServiceHandle.ADVAPI32(00000000,00404E12), ref: 00404E3A
RegCloseKey.KERNELBASE(00000000,00404E12), ref: 00404E50

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: Close$HandleService
String ID:
API String ID: 907781861-0
Opcode ID: df88ba2420c4e5576af235a9d1b9512e1e2c95130368c118f5465ae420b4160a
Instruction ID: 6b40e544d4cc24b11f69b6f6fb2a8579f0677bf83d93bcc87397db4c4dca0c73
Opcode Fuzzy Hash: df88ba2420c4e5576af235a9d1b9512e1e2c95130368c118f5465ae420b4160a
Instruction Fuzzy Hash: 6FE092B0901224CBCB36DB64DA4C79E7379AB80702F1080F8A20E7A190C7386FC4CF88

Non-executed Functions

Function 00403FFB Relevance: 101.8, APIs: 39, Strings: 19, Instructions: 339
stringregistrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004032D6: htons.WS2_32(0000150C), ref: 004032E9
Part of subcall function 004032D6: socket.WS2_32(00000002,00000001,00000000), ref: 00403309
Part of subcall function 004032D6: connect.WS2_32(?,00000002,00000010), ref: 0040331C
Part of subcall function 004032D6: closesocket.WS2_32(?), ref: 0040332B

strcpy.MSVCRT(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00404028
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 0040404A
RegQueryValueExA.ADVAPI32(?,ProductName,00000000,?,?,000000C8), ref: 00404081
RegCloseKey.ADVAPI32(?), ref: 0040408E
strstr.MSVCRT ref: 004040A0
strcpy.MSVCRT(?,Windows Server 2000), ref: 004040B8
GetSystemInfo.KERNEL32(?), ref: 0040426A
Sleep.KERNEL32(00000BB8), ref: 00404281
sprintf.MSVCRT ref: 004042AD
strlen.MSVCRT ref: 004042BE
send.WS2_32(00000000,?,-00000001,00000000), ref: 004042D8
closesocket.WS2_32(00000000), ref: 004042E9

Strings

2012, xrefs: 004041BA
XXOOXXOO:%s|%d|%d|%s, xrefs: 004042A1
Windows 2012, xrefs: 004041D2
2003, xrefs: 004040F6
ProductName, xrefs: 00404075
Windows Server 2003, xrefs: 0040410E
@, xrefs: 0040436C
Windows Server 2008, xrefs: 00404170
Windows Vista, xrefs: 0040413F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040401C
Windows Server 2000, xrefs: 004040AC
Windows 10, xrefs: 0040422E
Windows 8, xrefs: 00404200
Windows NT, xrefs: 00404244
2008, xrefs: 00404158
Windows 7, xrefs: 004041A1
2000, xrefs: 00404094
Vista, xrefs: 00404127
Windows XP, xrefs: 004040DD

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: closesocketstrcpy$CloseInfoOpenQuerySleepSystemValueconnecthtonssendsocketsprintfstrlenstrstr
String ID: 2000$2003$2008$2012$@$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 10$Windows 2012$Windows 7$Windows 8$Windows NT$Windows Server 2000$Windows Server 2003$Windows Server 2008$Windows Vista$Windows XP$XXOOXXOO:%s|%d|%d|%s
API String ID: 2276446589-4144121823
Opcode ID: 1a00aab1a2a436a703ab47969b9531ba76967906b80bea421ad8515685bde7b6
Instruction ID: 802e32aad8890fc60cc3bc0f9a75c956b0c585cd7c6da6b902cdcbc85f51d513
Opcode Fuzzy Hash: 1a00aab1a2a436a703ab47969b9531ba76967906b80bea421ad8515685bde7b6
Instruction Fuzzy Hash: 94D1B3B1900318A7DB20EB50DD49FAA7278AB94705F1085BFF709721C1EE799B84CF99

Function 004050D7 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 004050E4
??2@YAPAXI@Z.MSVCRT(?), ref: 0040510F
memset.MSVCRT ref: 00405136
memcpy.MSVCRT(?,?,00000008), ref: 0040514B

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ??2@InfoSystemmemcpymemset
String ID:
API String ID: 1901411096-0
Opcode ID: 3b5abddb217f4ae06170e9385111b0eab8c62a40be7fed8196b49d535b0ec2cc
Instruction ID: e5b3322a5e119529ebe03db6c37c60a26b796171c60119775832e56069a878da
Opcode Fuzzy Hash: 3b5abddb217f4ae06170e9385111b0eab8c62a40be7fed8196b49d535b0ec2cc
Instruction Fuzzy Hash: 5F110A75E002089BCB08DFA8D885ADEB7B5EB98300F10C16AE8157B386D635E955CFA4

Function 004039FC Relevance: 105.4, APIs: 41, Strings: 19, Instructions: 351
stringregistrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040395F: htons.WS2_32(00000015), ref: 004039A9
Part of subcall function 0040395F: socket.WS2_32(00000002,00000001,00000000), ref: 004039C8
Part of subcall function 0040395F: connect.WS2_32(?,00000002,00000010), ref: 004039DB
Part of subcall function 0040395F: closesocket.WS2_32(?), ref: 004039EA

strcpy.MSVCRT(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00403A29
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00403A4B
RegQueryValueExA.ADVAPI32(?,ProductName,00000000,?,?,000000C8), ref: 00403A82
RegCloseKey.ADVAPI32(?), ref: 00403A8F
strstr.MSVCRT ref: 00403AA1
strcpy.MSVCRT(?,Windows Server 2000), ref: 00403AB9
GetSystemInfo.KERNEL32(?), ref: 00403C6B
Sleep.KERNEL32(00000BB8), ref: 00403C82
sprintf.MSVCRT ref: 00403CAE
strlen.MSVCRT ref: 00403CBF
send.WS2_32(00000000,?,-00000001,00000000), ref: 00403CD9
closesocket.WS2_32(00000000), ref: 00403CEA

Strings

@, xrefs: 00403D6D
2008, xrefs: 00403B59
Windows Server 2008, xrefs: 00403B71
2003, xrefs: 00403AF7
XXOOXXOO:%s|%d|%d|%s, xrefs: 00403CA2
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00403A1D
Windows 8, xrefs: 00403C01
Windows 10, xrefs: 00403C2F
Windows XP, xrefs: 00403ADE
Windows NT, xrefs: 00403C45
Windows 7, xrefs: 00403BA2
Windows Server 2003, xrefs: 00403B0F
Vista, xrefs: 00403B28
ProductName, xrefs: 00403A76
Windows Vista, xrefs: 00403B40
2000, xrefs: 00403A95
Windows Server 2000, xrefs: 00403AAD
2012, xrefs: 00403BBB
Windows 2012, xrefs: 00403BD3

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: closesocketstrcpy$CloseInfoOpenQuerySleepSystemValueconnecthtonssendsocketsprintfstrlenstrstr
String ID: 2000$2003$2008$2012$@$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 10$Windows 2012$Windows 7$Windows 8$Windows NT$Windows Server 2000$Windows Server 2003$Windows Server 2008$Windows Vista$Windows XP$XXOOXXOO:%s|%d|%d|%s
API String ID: 2276446589-4144121823
Opcode ID: 00a7f91b9c0966fb5a9910401efcf838a6505e27283ee2cbc6bc2790fef36d28
Instruction ID: f235cde1a917e1bc2804ff82b889cdad9888d1a5da00452829f42721623e6625
Opcode Fuzzy Hash: 00a7f91b9c0966fb5a9910401efcf838a6505e27283ee2cbc6bc2790fef36d28
Instruction Fuzzy Hash: 01D1BF71900218ABDB20EF60DD45FAA7738AB44701F1085BEF609B61C1EF799B84CF99

Function 00401FCF Relevance: 70.3, APIs: 33, Strings: 7, Instructions: 311
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00402012
WSAStartup.WS2_32(00000102,?), ref: 0040207C
fprintf.MSVCRT ref: 004020A2
WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 004020B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,000000FF), ref: 004020C8
fprintf.MSVCRT ref: 004020D9
setsockopt.WS2_32(000000FF,00000000,00000002,00000001,00000004), ref: 004020F9
printf.MSVCRT ref: 00402113
setsockopt.WS2_32(000000FF,0000FFFF,00001005,?,00000004), ref: 00402139
memset.MSVCRT ref: 0040218C

Part of subcall function 0040114D: inet_addr.WS2_32(?), ref: 00401157
Part of subcall function 0040114D: gethostbyname.WS2_32(?), ref: 0040116A

htons.WS2_32(00000028), ref: 004021B8
inet_addr.WS2_32(?), ref: 004021E3
rand.MSVCRT ref: 004021F5
htons.WS2_32 ref: 00402203
htons.WS2_32(?), ref: 00402218
htonl.WS2_32(?), ref: 00402231
htons.WS2_32(00004000), ref: 0040225A
htons.WS2_32(00000014), ref: 0040229B
_local_unwind2.MSVCRT ref: 004022F9
rand.MSVCRT ref: 00402332
rand.MSVCRT ref: 00402343
rand.MSVCRT ref: 00402354
rand.MSVCRT ref: 00402365
sprintf.MSVCRT ref: 00402382
inet_addr.WS2_32(?), ref: 00402397
htonl.WS2_32(?), ref: 004023AD
memcpy.MSVCRT(?,?,0000000C), ref: 004023DB
memcpy.MSVCRT(?,?,00000014), ref: 004023F3
memcpy.MSVCRT(?,00000045,00000014), ref: 00402420
memcpy.MSVCRT(?,?,00000014), ref: 00402438
memset.MSVCRT ref: 0040244B

Strings

WSAStartup failed: %d, xrefs: 00402098
E, xrefs: 004021B2
P, xrefs: 00402247
(, xrefs: 00402453
%d.%d.%d.%d, xrefs: 00402376
Set IP_HDRINCL Error!, xrefs: 0040210E
WSASocket() failed: %d, xrefs: 004020CF

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: htonsmemcpyrand$inet_addr$fprintfhtonlmemsetsetsockopt$ErrorLastSocketStartup_local_unwind2gethostbynameprintfsprintf
String ID: %d.%d.%d.%d$($E$P$Set IP_HDRINCL Error!$WSASocket() failed: %d$WSAStartup failed: %d
API String ID: 1846842347-878675699
Opcode ID: da3699f669ba1dd641337ea84b96e98e7900e972e274363b06437990af5d0c14
Instruction ID: 20e9b25a680cac92a1dac3749700d9e4e1997eb56ab2c98728ddf45d447b9358
Opcode Fuzzy Hash: da3699f669ba1dd641337ea84b96e98e7900e972e274363b06437990af5d0c14
Instruction Fuzzy Hash: F9D16AB1D503199BEB20DB60CC49FDEB778AF48704F0041AAE169B62C1E6F917C48F69

Function 00401190 Relevance: 70.3, APIs: 33, Strings: 7, Instructions: 311
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(?,?,00000118), ref: 004011D3
WSAStartup.WS2_32(00000102,?), ref: 0040123D
fprintf.MSVCRT ref: 00401263
WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 0040127A
WSAGetLastError.WS2_32(?,?,?,?,?,?,000000FF), ref: 00401289
fprintf.MSVCRT ref: 0040129A
setsockopt.WS2_32(000000FF,00000000,00000002,00000001,00000004), ref: 004012BA
printf.MSVCRT ref: 004012D4
setsockopt.WS2_32(000000FF,0000FFFF,00001005,?,00000004), ref: 004012FA
memset.MSVCRT ref: 0040134D

Part of subcall function 0040114D: inet_addr.WS2_32(?), ref: 00401157
Part of subcall function 0040114D: gethostbyname.WS2_32(?), ref: 0040116A

htons.WS2_32(00000028), ref: 00401379
inet_addr.WS2_32(?), ref: 004013A4
rand.MSVCRT ref: 004013B6
htons.WS2_32 ref: 004013C4
htons.WS2_32(?), ref: 004013D9
htonl.WS2_32(?), ref: 004013F2
htons.WS2_32(00004000), ref: 0040141B
htons.WS2_32(00000014), ref: 0040145C
_local_unwind2.MSVCRT ref: 004014BA
rand.MSVCRT ref: 004014F3
rand.MSVCRT ref: 00401504
rand.MSVCRT ref: 00401515
rand.MSVCRT ref: 00401526
sprintf.MSVCRT ref: 00401543
inet_addr.WS2_32(?), ref: 00401558
htonl.WS2_32(?), ref: 0040156E
memcpy.MSVCRT(?,?,0000000C), ref: 0040159C
memcpy.MSVCRT(?,?,00000014), ref: 004015B4
memcpy.MSVCRT(?,00000045,00000014), ref: 004015E1
memcpy.MSVCRT(?,?,00000014), ref: 004015F9
memset.MSVCRT ref: 0040160C

Strings

WSASocket() failed: %d, xrefs: 00401290
Set IP_HDRINCL Error!, xrefs: 004012CF
P, xrefs: 00401408
%d.%d.%d.%d, xrefs: 00401537
WSAStartup failed: %d, xrefs: 00401259
(, xrefs: 00401614
E, xrefs: 00401373

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: htonsmemcpyrand$inet_addr$fprintfhtonlmemsetsetsockopt$ErrorLastSocketStartup_local_unwind2gethostbynameprintfsprintf
String ID: %d.%d.%d.%d$($E$P$Set IP_HDRINCL Error!$WSASocket() failed: %d$WSAStartup failed: %d
API String ID: 1846842347-878675699
Opcode ID: e5ff427615f747fd6b5e7bcd6e710d3d37d062b9ea958ecb812e4d7084f4bad3
Instruction ID: 5e59592a32ad7a4f9840655d7ec24cf65f5d3b10420301201df7bd79668f1317
Opcode Fuzzy Hash: e5ff427615f747fd6b5e7bcd6e710d3d37d062b9ea958ecb812e4d7084f4bad3
Instruction Fuzzy Hash: BFD17BB1D503199BDB20DB60CC49FDEB778AF48704F0045EAE169B62D1E6B907C48F6A

Function 00402EC7 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 134
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 00402F05
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 00402F17
FreeLibrary.KERNEL32(00000000), ref: 00402F49
GetProcAddress.KERNEL32(?,InternetOpenUrlA), ref: 00402F5F
FreeLibrary.KERNEL32(00000000), ref: 00402F94
CreateFileA.KERNEL32(00000001,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00402FB4
memset.MSVCRT ref: 00402FDB
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 00402FEC
WriteFile.KERNEL32(000000FF,?,00000000,00000000,00000000), ref: 00403058
CloseHandle.KERNEL32(000000FF), ref: 00403072
Sleep.KERNEL32(00000001), ref: 0040307A
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 00403089
FreeLibrary.KERNEL32(00000000), ref: 004030AD

Strings

InternetOpenUrlA, xrefs: 00402F56
InternetOpenA, xrefs: 00402F0E
MSIE 6.0, xrefs: 00402F28
InternetReadFile, xrefs: 00402FE3
wininet.dll, xrefs: 00402F00
InternetCloseHandle, xrefs: 00403080

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: AddressLibraryProc$Free$File$CloseCreateHandleLoadSleepWritememset
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 683241894-4269851202
Opcode ID: 95cb8328261dceeb03cc35ea7d77830b9ff5521f34750c3da9d8994d616deb61
Instruction ID: 22ba6335609661dcd7fd72d8973190791ee57a9960577a8202563918c44b35b4
Opcode Fuzzy Hash: 95cb8328261dceeb03cc35ea7d77830b9ff5521f34750c3da9d8994d616deb61
Instruction Fuzzy Hash: 7551F1B5A40218AFDB20DFA0CD49BEE7B74AF08705F5041A9F606B62C0C7795A85CF5D

Function 004036CD Relevance: 24.2, APIs: 16, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4cb4dbb08bd3c5ac4bc471a37251c35482052054573a4338dc82b526bcd5fe
Instruction ID: 12057715b15e4bff95f6bbdf1a98955074afccefc94fdebf973198f540c6e4b2
Opcode Fuzzy Hash: 5b4cb4dbb08bd3c5ac4bc471a37251c35482052054573a4338dc82b526bcd5fe
Instruction Fuzzy Hash: A371FFB0644204FBDB04CF94CE89FAD7BB5BB44705F2080AAF5467B2D0C7B96B41AB59

Function 0040343B Relevance: 24.2, APIs: 16, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172c1c28881b180fd94eea58cf0f15981e052242e26dd09486257aa3f6aa364c
Instruction ID: 517ef12de7895c2b57f2298a320f9cec570e0d57db15f344f1775425e9bba1ef
Opcode Fuzzy Hash: 172c1c28881b180fd94eea58cf0f15981e052242e26dd09486257aa3f6aa364c
Instruction Fuzzy Hash: C2713A70644208FBDB04CF90DD49BAD7BB9BB44706F30806AF6467B2D0C7B96B41AB59

Function 00401A44 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 170
stringthreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00401A63
ExitThread.KERNEL32 ref: 00401A83
wsprintfA.USER32 ref: 00401B0C
strlen.MSVCRT ref: 00401B43
send.WS2_32(?,?,-00000001,00000000), ref: 00401B5D
closesocket.WS2_32(?), ref: 00401B6A

Strings

%c%c%c%c%c%c%c%c.%s, xrefs: 00401BE7
%c%c%c%c%c%c%c%c%s, xrefs: 00401B00

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ExitThreadclosesocketmemcpysendstrlenwsprintf
String ID: %c%c%c%c%c%c%c%c%s$%c%c%c%c%c%c%c%c.%s
API String ID: 3102603583-3176756361
Opcode ID: 71c34f0ced3861ba9fe66cc5bf42b470322efc773240954c9547cde8edfd6dc6
Instruction ID: 1238b62af3d0bdbc50e0538c59d979ba8e13356075ec0e44a509e34ce2249e5e
Opcode Fuzzy Hash: 71c34f0ced3861ba9fe66cc5bf42b470322efc773240954c9547cde8edfd6dc6
Instruction Fuzzy Hash: 165164F3E4010877EF44ABA0EC47FAE7168AB54304F0440B6FB09B92D2F575AB554A6B

Function 00402883 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 170
stringthreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(?,?,00000118), ref: 004028A2
ExitThread.KERNEL32 ref: 004028C2
wsprintfA.USER32 ref: 0040294B
strlen.MSVCRT ref: 00402982
send.WS2_32(?,?,-00000001,00000000), ref: 0040299C
closesocket.WS2_32(?), ref: 004029A9

Strings

%c%c%c%c%c%c%c%c%s, xrefs: 0040293F
%c%c%c%c%c%c%c%c.%s, xrefs: 00402A26

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ExitThreadclosesocketmemcpysendstrlenwsprintf
String ID: %c%c%c%c%c%c%c%c%s$%c%c%c%c%c%c%c%c.%s
API String ID: 3102603583-3176756361
Opcode ID: ca8fa067eefdb34945f2d4bd4bea33a4e068cb74d718b52d8bdf502316294f29
Instruction ID: 929e72273ec245c799fcb709ae5862dbe23c1d79b34a1fee0b5b2dab238f489c
Opcode Fuzzy Hash: ca8fa067eefdb34945f2d4bd4bea33a4e068cb74d718b52d8bdf502316294f29
Instruction Fuzzy Hash: C75177F3E4010877EF4467A0DC47FAE7268AB54304F0440B5FB09B92D2F575AB554A6B

Function 00402BCC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00402BEC
wsprintfA.USER32 ref: 00402C30

Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7

Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080

wsprintfA.USER32 ref: 00402C5C
ExitThread.KERNEL32 ref: 00402C79
strlen.MSVCRT ref: 00402CAD
send.WS2_32(?,00000000,-00000001,00000000), ref: 00402CC7
closesocket.WS2_32(?), ref: 00402CD4
Sleep.KERNEL32(00000032), ref: 00402CDC

Strings

P, xrefs: 00402C0D
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00402C50
POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M, xrefs: 00402C24

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P$POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M
API String ID: 154462434-1912558112
Opcode ID: df110f8bc908860bb4162b2fdcc99f3b9363853b4f998da4e01779a3e2c3f2d0
Instruction ID: 8896fb7e1c9864b4baf9e6d5e8a865d74aea116e9e1a1b5532e7031fe9cde2ae
Opcode Fuzzy Hash: df110f8bc908860bb4162b2fdcc99f3b9363853b4f998da4e01779a3e2c3f2d0
Instruction Fuzzy Hash: 3231A4F2900118ABDB14DB64CD49FDF7778AB48301F0045FAE70AB6281E6745B958F59

Function 00401C6C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00401C8C
wsprintfA.USER32 ref: 00401CD0

Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7

Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080

wsprintfA.USER32 ref: 00401CFC
ExitThread.KERNEL32 ref: 00401D19
strlen.MSVCRT ref: 00401D4D
send.WS2_32(?,00000000,-00000001,00000000), ref: 00401D67
closesocket.WS2_32(?), ref: 00401D74
Sleep.KERNEL32(00000032), ref: 00401D7C

Strings

GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00401CF0
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00401CC4
P, xrefs: 00401CAD

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P
API String ID: 154462434-2388081876
Opcode ID: 53183e0abc2f4f9f1189f1a366ac6c965d2657aaee48a759cbac26da2936ec1e
Instruction ID: 45b6686e291ba135dd7788b18d7bce6fc68adcbb1477829a5583968df3fa6b54
Opcode Fuzzy Hash: 53183e0abc2f4f9f1189f1a366ac6c965d2657aaee48a759cbac26da2936ec1e
Instruction Fuzzy Hash: 9C31D4F2D00118ABDB10DB64DC45FEB7778AF48301F0045BAE70AB2191E6746B858F69

Function 00402CED Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00402D0D
wsprintfA.USER32 ref: 00402D51

Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7

Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080

wsprintfA.USER32 ref: 00402D7D
ExitThread.KERNEL32 ref: 00402D9A
strlen.MSVCRT ref: 00402DCE
send.WS2_32(?,00000000,-00000001,00000000), ref: 00402DE8
closesocket.WS2_32(?), ref: 00402DF5
Sleep.KERNEL32(00000032), ref: 00402DFD

Strings

P, xrefs: 00402D2E
GET %s HTTP/1.1Host: %s, xrefs: 00402D45
GET %s HTTP/1.1Host: %s:%d, xrefs: 00402D71

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
String ID: GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$P
API String ID: 154462434-1069297859
Opcode ID: 8f2ac87358f9a8d5d2bd41150b58849e2fd3683b15391c02120d2f6df87ff6ce
Instruction ID: fff3a6067a2630bb3bc1e9f737657de35c2815911e891584a9d2263832ca7c7d
Opcode Fuzzy Hash: 8f2ac87358f9a8d5d2bd41150b58849e2fd3683b15391c02120d2f6df87ff6ce
Instruction Fuzzy Hash: 4231C4F2900218ABDB10DB54CD45FDB777CAF48301F0041BAE70AB6181E6745B858FA9

Function 00401D8D Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00401DAD
wsprintfA.USER32 ref: 00401DF1

Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7

Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080

wsprintfA.USER32 ref: 00401E1D
ExitThread.KERNEL32 ref: 00401E3A
strlen.MSVCRT ref: 00401E6E
send.WS2_32(?,00000000,-00000001,00000000), ref: 00401E88
closesocket.WS2_32(?), ref: 00401E95
Sleep.KERNEL32(00000032), ref: 00401E9D

Strings

POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M, xrefs: 00401DE5
P, xrefs: 00401DCE
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00401E11

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P$POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M
API String ID: 154462434-1912558112
Opcode ID: 2af80075af831c4008d09f3f96540f850d6949dcbfe8ab437d85dd57497d2db9
Instruction ID: a6b99945afbe447f8bdaecfe330ce57f9cdbf6324ea44ce5b564f32879747ad1
Opcode Fuzzy Hash: 2af80075af831c4008d09f3f96540f850d6949dcbfe8ab437d85dd57497d2db9
Instruction Fuzzy Hash: 7731D4F2D00118ABDB10DB64CC45FEFB378AF48301F0041BAE70AB6191E6746B958FA9

Function 00402AAB Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00402ACB
wsprintfA.USER32 ref: 00402B0F

Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7

Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080

wsprintfA.USER32 ref: 00402B3B
ExitThread.KERNEL32 ref: 00402B58
strlen.MSVCRT ref: 00402B8C
send.WS2_32(?,00000000,-00000001,00000000), ref: 00402BA6
closesocket.WS2_32(?), ref: 00402BB3
Sleep.KERNEL32(00000032), ref: 00402BBB

Strings

P, xrefs: 00402AEC
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00402B2F
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00402B03

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P
API String ID: 154462434-2388081876
Opcode ID: 9298624c8e1cd6283d0ab6827bce019e84d39c546a8de6f8c5644b108d3af92e
Instruction ID: b23db13192b3788b63b1b506df417dcc76435c4f3cc11f61f17a21f45d5f02b5
Opcode Fuzzy Hash: 9298624c8e1cd6283d0ab6827bce019e84d39c546a8de6f8c5644b108d3af92e
Instruction Fuzzy Hash: 6D31B3F2900118ABDB14DB64CD45FDBB778AB44301F0041FAE70AB6181E6746B958F69

Function 00401EAE Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00401ECE
wsprintfA.USER32 ref: 00401F12

Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7

Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080

wsprintfA.USER32 ref: 00401F3E
ExitThread.KERNEL32 ref: 00401F5B
strlen.MSVCRT ref: 00401F8F
send.WS2_32(?,00000000,-00000001,00000000), ref: 00401FA9
closesocket.WS2_32(?), ref: 00401FB6
Sleep.KERNEL32(00000032), ref: 00401FBE

Strings

P, xrefs: 00401EEF
GET %s HTTP/1.1Host: %s:%d, xrefs: 00401F32
GET %s HTTP/1.1Host: %s, xrefs: 00401F06

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
String ID: GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$P
API String ID: 154462434-1069297859
Opcode ID: ee66044a3dc641d93d1b3e0c30ead929e13fdc4d5c83b316f3624db1efc017d3
Instruction ID: eca8cc41eef249492272eb02307d9ef7a06d7c075444b2e363efce4dd12abecc
Opcode Fuzzy Hash: ee66044a3dc641d93d1b3e0c30ead929e13fdc4d5c83b316f3624db1efc017d3
Instruction Fuzzy Hash: 8C31A4F2900118ABDB10DBA4CC45FDB7778AF48301F0045FAE70AB6191E7755B958F59

Function 0040515E Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 261libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 00405185
GetProcAddress.KERNEL32(00000000), ref: 0040518C

Strings

NtQuerySystemInformation, xrefs: 0040517B
ntdll, xrefs: 00405180

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtQuerySystemInformation$ntdll
API String ID: 1646373207-3593917365
Opcode ID: c4be4d57a3522ae43abd89f4c0ee8544aa4e2301068ec1a9cad122ca17f8694d
Instruction ID: 3264232e6a7bfee26da61973510c67d1dacd9247a3d6e3d6b7b8354ee11b32c5
Opcode Fuzzy Hash: c4be4d57a3522ae43abd89f4c0ee8544aa4e2301068ec1a9cad122ca17f8694d
Instruction Fuzzy Hash: 14C12C74A00609DFDB28CF54DA95B9EB7B5FB58310F21816DD806AB392CB34E952CF84

Function 004030E2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004030FB
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040311A
memcpy.MSVCRT(00000000,?,-00000001), ref: 0040313A
strrchr.MSVCRT ref: 00403148
??3@YAXPAX@Z.MSVCRT(?), ref: 0040318F

Strings

D, xrefs: 004031AE

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ??2@??3@memcpystrlenstrrchr
String ID: D
API String ID: 2685092370-2746444292
Opcode ID: 95e34ce429fc10a3249ac51d20dd093f4ba7e8e7093b3f8e0ca4c3437270c73f
Instruction ID: 9a0e29f2f4d9fd1375a805a68f984a3708dc3e3ffaf2d3f3e0abf3b5249a97fc
Opcode Fuzzy Hash: 95e34ce429fc10a3249ac51d20dd093f4ba7e8e7093b3f8e0ca4c3437270c73f
Instruction Fuzzy Hash: A8315EF1D002099BDB00DFE4CC4ABAFBBB9AF48304F10453AE505BB281E6799A45CB95

Function 0040195F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 0040197F
wsprintfA.USER32 ref: 004019B3
ExitThread.KERNEL32 ref: 004019D0
strlen.MSVCRT ref: 00401A04
send.WS2_32(?,00000000,-00000001,00000000), ref: 00401A1E
closesocket.WS2_32(?), ref: 00401A2B
Sleep.KERNEL32(00000032), ref: 00401A33

Strings

GET %s HTTP/1.1, xrefs: 004019A7

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ExitSleepThreadclosesocketmemcpysendstrlenwsprintf
String ID: GET %s HTTP/1.1
API String ID: 2428105366-1228824774
Opcode ID: af700700319e85517c0fe3d12fd47b262259b98475dde106fc30792fa5e9a691
Instruction ID: 87035f9a59ba0ee08f4bfd36adc0c1830135b250edc15aaf9ee70e326725c221
Opcode Fuzzy Hash: af700700319e85517c0fe3d12fd47b262259b98475dde106fc30792fa5e9a691
Instruction Fuzzy Hash: 7821A4F2900208ABD710DB64DD45FEB7778AB84301F0045BAE705B6291EA359B558F99

Function 0040279E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67sleepstringthreadCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 004027BE
wsprintfA.USER32 ref: 004027F2
ExitThread.KERNEL32 ref: 0040280F
strlen.MSVCRT ref: 00402843
send.WS2_32(?,00000000,-00000001,00000000), ref: 0040285D
closesocket.WS2_32(?), ref: 0040286A
Sleep.KERNEL32(00000032), ref: 00402872

Strings

GET %s HTTP/1.1, xrefs: 004027E6

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ExitSleepThreadclosesocketmemcpysendstrlenwsprintf
String ID: GET %s HTTP/1.1
API String ID: 2428105366-1228824774
Opcode ID: abf6eaf39c44e4efa543fdfe644cfdebd91817a6c5e60f155f5642da00b30941
Instruction ID: 7d9b9eb363a0a16c27ceb9e8e5b29316b7b1e4974faf4cbd78f1f8191bc3b6ca
Opcode Fuzzy Hash: abf6eaf39c44e4efa543fdfe644cfdebd91817a6c5e60f155f5642da00b30941
Instruction Fuzzy Hash: A321C6B2900208ABD710DB64DD45FEF777CAF88301F0085B9E709B62C1EA759B558F59

Function 004045F8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46sleepregistrythreadCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(phqghumeay,004046DA), ref: 0040460B
SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040465D
Sleep.KERNEL32(000001F4), ref: 00404672
SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040468E
WSAStartup.WS2_32(00000202,?), ref: 004046A0
CreateThread.KERNEL32(00000000,00000000,Function_00003F79,00000000,00000000,00000000), ref: 004046B5
Sleep.KERNEL32(000001F4), ref: 004046CE

Strings

phqghumeay, xrefs: 00404606

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: Service$SleepStatus$CreateCtrlHandlerRegisterStartupThread
String ID: phqghumeay
API String ID: 2259269688-3681123028
Opcode ID: 031517925a19d44b7b87a93e304b076f8e829e226e20a6f13bb548c47de79449
Instruction ID: e787513983a48fdee6ca49b53397f8218b7f537956fa0234dcbf9c9ae5bf48b0
Opcode Fuzzy Hash: 031517925a19d44b7b87a93e304b076f8e829e226e20a6f13bb548c47de79449
Instruction Fuzzy Hash: 70110970684303ABE3109F60EF0EF553AA4A744709F10443DBA467A2E3EBB964549FAD

Function 004017CA Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 004017E9
WSAStartup.WS2_32(00000202,?), ref: 004017FD
WSASocketA.WS2_32(00000002,00000003,00000001,00000000,00000000,00000001), ref: 00401819
setsockopt.WS2_32(000000FF,0000FFFF,00001005,000007D0,00000004), ref: 0040184F

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: SocketStartupmemcpysetsockopt
String ID:
API String ID: 1414131647-0
Opcode ID: 5987cc774e7c0e4cf83971a2b8de4bd1eb5fb853af5b1f8313979153893f5a13
Instruction ID: ae193bf8e6dfcf6be80bea22a789e91b64a13073cf49401c26853e4a959efe62
Opcode Fuzzy Hash: 5987cc774e7c0e4cf83971a2b8de4bd1eb5fb853af5b1f8313979153893f5a13
Instruction Fuzzy Hash: DF4153B1900218DAFB60DB64DD49FAA7774AF04704F1046FAE60EB62D1DBB41A88CF56

Function 00402609 Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00402628
WSAStartup.WS2_32(00000202,?), ref: 0040263C
WSASocketA.WS2_32(00000002,00000003,00000001,00000000,00000000,00000001), ref: 00402658
setsockopt.WS2_32(000000FF,0000FFFF,00001005,000007D0,00000004), ref: 0040268E

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: SocketStartupmemcpysetsockopt
String ID:
API String ID: 1414131647-0
Opcode ID: a103d9dbe7e42f3d492da224d946d619c555e856eb256a1171765b8bea5a4613
Instruction ID: ebcde8c040ba5c605652543b5f3693abec3ce4aa0523f0b3af999954ffa1b85e
Opcode Fuzzy Hash: a103d9dbe7e42f3d492da224d946d619c555e856eb256a1171765b8bea5a4613
Instruction Fuzzy Hash: 844144749403189AFB64DB64DD4DF9A7374BF04704F1046FAE60DB62C1DBB41A888F56

Function 004046DA Relevance: 13.6, APIs: 9, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 00404720
Sleep.KERNEL32(000001F4), ref: 0040472B
SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040476A
Sleep.KERNEL32(000001F4), ref: 00404775
SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 004047B4
Sleep.KERNEL32(000001F4), ref: 004047BF
SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 004047FA
Sleep.KERNEL32(000001F4), ref: 00404805
SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040482B

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ServiceStatus$Sleep
String ID:
API String ID: 4108286180-0
Opcode ID: 7b9259c6701b6267053f848a5fdc2b24f879cc77d11c1c6f7a47b8c7cae808c0
Instruction ID: 7d708cc0f453a7ab1292acc82068290849e9b87896a347453b50e982a4755dd7
Opcode Fuzzy Hash: 7b9259c6701b6267053f848a5fdc2b24f879cc77d11c1c6f7a47b8c7cae808c0
Instruction Fuzzy Hash: 4331D0B1541202EFD344DF54EF08B463BA9A744308F10803DE782772A3EFBA6584AB5C

Function 00405A17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 00405A40
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000001), ref: 00405A5F
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 00405A80

Strings

z, xrefs: 00405A55

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: Table$??2@
String ID: z
API String ID: 3055424098-1657960367
Opcode ID: 9c6b0a12ce9f2ccbaa7304c5aeae0112cad770da942ba275c552d3110d3eed4b
Instruction ID: 7f82c094eb5475c471e1d07be25d9791ccb12e02723633ca1eb636df58f5aea8
Opcode Fuzzy Hash: 9c6b0a12ce9f2ccbaa7304c5aeae0112cad770da942ba275c552d3110d3eed4b
Instruction Fuzzy Hash: AD81D674D00619EFDB14CF54DA84B9EBBB5FB49304F1081AAE409B7390DB786A85CF48

Function 004031FA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66processstringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00403212
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 00403231
memcpy.MSVCRT(00000000,?,-00000001), ref: 00403251
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004032A9
??3@YAXPAX@Z.MSVCRT(?), ref: 004032B9
CloseHandle.KERNEL32(?), ref: 004032C5

Strings

D, xrefs: 00403259

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ??2@??3@CloseCreateHandleProcessmemcpystrlen
String ID: D
API String ID: 3685439360-2746444292
Opcode ID: 5ac9660e63a628742ffa694b8b034b147a8f7de7091280ea27d5633dc0bdd6b8
Instruction ID: a482e95f188377e2f93ebefe3bf7e31a7a7b2bc2a7937dcf561fab8338ac9f07
Opcode Fuzzy Hash: 5ac9660e63a628742ffa694b8b034b147a8f7de7091280ea27d5633dc0bdd6b8
Instruction Fuzzy Hash: 8821E8B1D102089BDB00DFE4D859BEFBBB5FF48304F104129E509BB280E77A9945CB99

Function 004024F7 Relevance: 12.1, APIs: 8, Instructions: 76networkCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 00402516
WSAStartup.WS2_32(00000202,?), ref: 0040252A
memset.MSVCRT ref: 0040253E
memset.MSVCRT ref: 0040254E
htons.WS2_32(?), ref: 00402561

Part of subcall function 0040114D: inet_addr.WS2_32(?), ref: 00401157
Part of subcall function 0040114D: gethostbyname.WS2_32(?), ref: 0040116A

socket.WS2_32(00000002,00000002,00000011), ref: 00402583
connect.WS2_32(?,00000002,00000010), ref: 0040259C
send.WS2_32(?,?,00000400,00000000), ref: 004025F4

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: memset$Startupconnectgethostbynamehtonsinet_addrmemcpysendsocket
String ID:
API String ID: 399500395-0
Opcode ID: a8d06ed6b536dead68c746dfe58156b4a7fb1720027fb0663e76995ad6ac756f
Instruction ID: fddbe04875415fd2b070f17c0c1f2081c11e6b8b2d0dd4d748e579f4833bb378
Opcode Fuzzy Hash: a8d06ed6b536dead68c746dfe58156b4a7fb1720027fb0663e76995ad6ac756f
Instruction Fuzzy Hash: 4721B6B5901308EBEB10DB60DE0AFFE7374BF44704F0044A9EA067A2D1D7B59A549F59

Function 004016B8 Relevance: 12.1, APIs: 8, Instructions: 76networkCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000118), ref: 004016D7
WSAStartup.WS2_32(00000202,?), ref: 004016EB
memset.MSVCRT ref: 004016FF
memset.MSVCRT ref: 0040170F
htons.WS2_32(?), ref: 00401722

Part of subcall function 0040114D: inet_addr.WS2_32(?), ref: 00401157
Part of subcall function 0040114D: gethostbyname.WS2_32(?), ref: 0040116A

socket.WS2_32(00000002,00000002,00000011), ref: 00401744
connect.WS2_32(?,00000002,00000010), ref: 0040175D
send.WS2_32(?,?,00000400,00000000), ref: 004017B5

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: memset$Startupconnectgethostbynamehtonsinet_addrmemcpysendsocket
String ID:
API String ID: 399500395-0
Opcode ID: f48b6a6da6a7b8866ff8ae4bb3b1162af9d65dc11cbd137a28805d80e909559a
Instruction ID: 72ac3324d718496a0a9a2e1f2e79cb37c147b3028460a5f94b26d3df48a2aa65
Opcode Fuzzy Hash: f48b6a6da6a7b8866ff8ae4bb3b1162af9d65dc11cbd137a28805d80e909559a
Instruction Fuzzy Hash: 7321C3B5900308ABEB10DB60CD0AFFE7374AB44704F0045AAEA067A2D1D7B95A548F99

Function 00403F79 Relevance: 10.5, APIs: 7, Instructions: 36sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00403F8E
Sleep.KERNEL32(00075300), ref: 00403F99
CreateThread.KERNEL32(00000000,00000000,Function_000039FC,00000000,00000000,00000000), ref: 00403FB7
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403FCB
CloseHandle.KERNEL32(00000000), ref: 00403FD7
closesocket.WS2_32(00000000), ref: 00403FE4
Sleep.KERNEL32(0000012C), ref: 00403FEF

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: Sleep$CloseCreateHandleObjectSingleStartupThreadWaitclosesocket
String ID:
API String ID: 1209398346-0
Opcode ID: 6b5100a307f7bb03ae9e81a3a6f0713488704acac8a47056eb52832176ffa2e4
Instruction ID: f254a680b066a287b89c4b23f0b848ca249bbbb146f3853f2104391c06f03928
Opcode Fuzzy Hash: 6b5100a307f7bb03ae9e81a3a6f0713488704acac8a47056eb52832176ffa2e4
Instruction Fuzzy Hash: 03F06835680300BFE710AF70AE0EF653739A745706F104139BB17B52E0CAB559108F6D

Function 0040395F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000015), ref: 004039A9

Part of subcall function 00402E0E: inet_addr.WS2_32(?), ref: 00402E18
Part of subcall function 00402E0E: gethostbyname.WS2_32(?), ref: 00402E2B

socket.WS2_32(00000002,00000001,00000000), ref: 004039C8
connect.WS2_32(?,00000002,00000010), ref: 004039DB
closesocket.WS2_32(?), ref: 004039EA

Strings

nc.cc25yr.o, xrefs: 00403995, 00403998

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
String ID: nc.cc25yr.o
API String ID: 1954806591-1254599725
Opcode ID: 3abe8d685ed55232de8edaf63dd1218babf7ef1746143090d1975e6c7765a82d
Instruction ID: c4cd32d014cfd96db3cf8a496bf25a229dbc4bce63e2c648c3f90e98d41e8445
Opcode Fuzzy Hash: 3abe8d685ed55232de8edaf63dd1218babf7ef1746143090d1975e6c7765a82d
Instruction Fuzzy Hash: 9D119D70C08289DAEB01CBF8D909BAEBBB56F12304F040259E5407A2C2D7FA4754C7E6

Function 004032D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(0000150C), ref: 004032E9

Part of subcall function 00402E0E: inet_addr.WS2_32(?), ref: 00402E18
Part of subcall function 00402E0E: gethostbyname.WS2_32(?), ref: 00402E2B

socket.WS2_32(00000002,00000001,00000000), ref: 00403309
connect.WS2_32(?,00000002,00000010), ref: 0040331C
closesocket.WS2_32(?), ref: 0040332B

Strings

zzz.hnyzh.co, xrefs: 004032F3

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
String ID: zzz.hnyzh.co
API String ID: 1954806591-438907287
Opcode ID: 209a9b9dd495b061f164d766f77d2db8d558899c1df9b973b97231f909545fb6
Instruction ID: ea55fe1ec0ec8f3ebfa55634e1fe86464d9ba577327a18efdfeda344e4bb8486
Opcode Fuzzy Hash: 209a9b9dd495b061f164d766f77d2db8d558899c1df9b973b97231f909545fb6
Instruction Fuzzy Hash: 69F0A474D00204EBDB00DBF09E4AA6E7778AF04710F500665F911BA2D1D7745E00976A

Function 0040333D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 0040335F
RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000004,?,00000004), ref: 0040337C
RegCloseKey.ADVAPI32(?), ref: 00403386

Strings

~MHz, xrefs: 00403373
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00403355

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 3677997916-2226868861
Opcode ID: f740e64da41fe9b9092cdfbc9bba7ee9c68d22e9dddcec7c798d278ed5edc45c
Instruction ID: d0f86a942cb0c189bb861b5d57f8b7fd4d381205da96400f73d5a48398b44a69
Opcode Fuzzy Hash: f740e64da41fe9b9092cdfbc9bba7ee9c68d22e9dddcec7c798d278ed5edc45c
Instruction Fuzzy Hash: 4AF058B5940208FBDB00DBD4CD49FBEB77CEB08301F1046ADEA1277280D6746614CB54

Function 004054E8 Relevance: 7.8, APIs: 5, Instructions: 305COMMON

Download Yara Rule

APIs

GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 00405512
malloc.MSVCRT ref: 00405523
GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 00405541
??2@YAPAXI@Z.MSVCRT(?), ref: 004055CE
memset.MSVCRT ref: 004055F7

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: Table$??2@mallocmemset
String ID:
API String ID: 2602573864-0
Opcode ID: 3963b5f7b5c2ea763ccca7d7c8bdd1d25aad7ce011bfbb0ed20ce6a73da47b75
Instruction ID: c8f740c0ebae116feca87dfdb30511d738ab3e81f26805e00a7e9c4019b0d005
Opcode Fuzzy Hash: 3963b5f7b5c2ea763ccca7d7c8bdd1d25aad7ce011bfbb0ed20ce6a73da47b75
Instruction Fuzzy Hash: C2E1A975A005099FCB08DF44D2949AEFBB6FB98304F29C1A9D8156B396C730ED42CFA5

Function 004058D1 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 004058FB
malloc.MSVCRT ref: 0040590C
GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 0040592A
memcpy.MSVCRT(00000008,00000260,00000100,00000000,?,00000000), ref: 00405A01

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: Table$mallocmemcpy
String ID:
API String ID: 1265661173-0
Opcode ID: 0f4610ecdd7b7a42556f1386c1315cbeab420d1f8fd25009bacce7701b1ed7b3
Instruction ID: 23ad0d819bd260b5a54d7ed1dbd1ffc2d4f763d93d077053e6da68674a1848d9
Opcode Fuzzy Hash: 0f4610ecdd7b7a42556f1386c1315cbeab420d1f8fd25009bacce7701b1ed7b3
Instruction Fuzzy Hash: 0D411C74A00508EFCB08DF54C494AAEF7B5FF89314F14C2AAD855AB395C635AE81CF84

Function 00404FF0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405018
free.MSVCRT ref: 0040503A
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405062
??3@YAXPAX@Z.MSVCRT(?), ref: 0040508A

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 51d11b32999006aebaac96294b12bae7eedff7485b3dba08f4a7a54d4bb72f08
Instruction ID: 60c112be218109a9fd47a0d968c03d109b5f93aeb1bbfda9a16fab82623cbeb9
Opcode Fuzzy Hash: 51d11b32999006aebaac96294b12bae7eedff7485b3dba08f4a7a54d4bb72f08
Instruction Fuzzy Hash: 7921C4B8A00219DBDB04DF94C894BAFB7B1FB44304F1485A9E8156B381D77AE946CF94

Function 00401074 Relevance: 6.0, APIs: 4, Instructions: 36networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00401080
htons.WS2_32(?), ref: 004010A5
connect.WS2_32(000000FF,00000002,00000010), ref: 004010B9
closesocket.WS2_32(000000FF), ref: 004010C8

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: closesocketconnecthtonssocket
String ID:
API String ID: 3817148366-0
Opcode ID: 9c053e00c0cdda2e46995ee3025bfcc69ab33e8ba0ad32669d41eb8457726b43
Instruction ID: 5c07ddbe1fb0fa1d9396f2f96b37480c17b7462d35912e14a8db5dbd34f170a6
Opcode Fuzzy Hash: 9c053e00c0cdda2e46995ee3025bfcc69ab33e8ba0ad32669d41eb8457726b43
Instruction Fuzzy Hash: 39018170900209DBCB10DFB4DA09ABEB374BF04320F504725F562BA2E1D3B59A408BA6

Function 004050A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 004050B4
memcpy.MSVCRT(?,?,0000001C), ref: 004050C4

Strings

, xrefs: 004050A9

Memory Dump Source

Source File: 00000004.00000002.1278618248.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1278598918.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278640641.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278657166.0000000000407000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.1278674251.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_file.jbxd

Similarity

API ID: GlobalMemoryStatusmemcpy
String ID:
API String ID: 2050503402-3916222277
Opcode ID: 6e75a4f245179bf84d98224b577ed0044bcf3c3ee22476d6b8fd93221b42b97f
Instruction ID: 9716cbb7558b91ebbdc56a41d9e6485860ada124d9ae5638e0acd554cd5a5761
Opcode Fuzzy Hash: 6e75a4f245179bf84d98224b577ed0044bcf3c3ee22476d6b8fd93221b42b97f
Instruction Fuzzy Hash: B4E08CB2C0420CA7DB00EBD4E849EDEB7B8AB48300F008129FA0466281E77995548BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\Systemhqe.exe

C:\Windows\Systemhqe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
file.exe

Function 004048A6 Relevance: 56.3, APIs: 26, Strings: 6, Instructions: 297
stringserviceregistryCOMMON

Function 0040484B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 24
COMMON

Function 00405D98 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00404546 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 51
fileCOMMON

Function 00404E68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
registrystringCOMMON

Function 00404E14 Relevance: 4.5, APIs: 3, Instructions: 16
serviceregistryCOMMON

Function 00403FFB Relevance: 101.8, APIs: 39, Strings: 19, Instructions: 339
stringregistrysleepCOMMON

Function 004039FC Relevance: 105.4, APIs: 41, Strings: 19, Instructions: 351
stringregistrysleepCOMMON

Function 00401FCF Relevance: 70.3, APIs: 33, Strings: 7, Instructions: 311
networkCOMMON

Function 00401190 Relevance: 70.3, APIs: 33, Strings: 7, Instructions: 311
networkCOMMON

Function 00402EC7 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 134
libraryloaderfileCOMMON

Function 004036CD Relevance: 24.2, APIs: 16, Instructions: 188
COMMON

Function 0040343B Relevance: 24.2, APIs: 16, Instructions: 188
COMMON

Function 00401A44 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 170
stringthreadnetworkCOMMON

Function 00402883 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 170
stringthreadnetworkCOMMON