Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583470
MD5:1d286b861d4b283bb79330b61d18fc26
SHA1:ab6515e058793efbc59de100fed80d7a2714d205
SHA256:4cbc414d046f0cb106ec1cbc8753c47f5146a9942115324b80be4503ac98ff40
Tags:exeuser-jstrosch
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found decision node followed by non-executed suspicious APIs
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2924 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1D286B861D4B283BB79330B61D18FC26)
  • Systemxgy.exe (PID: 3180 cmdline: C:\Windows\Systemxgy.exe MD5: 1D286B861D4B283BB79330B61D18FC26)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Windows\Systemxgy.exeAvira: detection malicious, Label: HEUR/AGEN.1342186
Multi AV Scanner detection for dropped file
Source: C:\Windows\Systemxgy.exeReversingLabs: Detection: 89%
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 89%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for dropped file
Source: C:\Windows\Systemxgy.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: global trafficTCP traffic: 192.168.2.5:49704 -> 205.185.126.56:5388
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403FFB strcpy,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strstr,strcpy,strcpy,GetSystemInfo,Sleep,sprintf,strlen,send,closesocket,select,__WSAFDIsSet,recv,memcpy,memcpy,memcpy,CreateThread,memcpy,CreateThread,closesocket,0_2_00403FFB
Source: global trafficDNS traffic detected: DNS query: zzz.hnyzh.co
Source: file.exe, Systemxgy.exe.0.drString found in binary or memory: http://www.baidu.com/search/spider.html)
Source: file.exe, Systemxgy.exe.0.drString found in binary or memory: http://www.google.com/bot.html)
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Systemxgy.exeJump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Systemxgy.exe\:Zone.Identifier:$DATAJump to behavior
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal92.evad.winEXE@2/2@1/1
Source: C:\Users\user\Desktop\file.exeCode function: GetModuleFileNameA,LoadLibraryA,GetProcAddress,strlen,strncmp,wsprintfA,strcat,strcat,CopyFileA,memset,strcpy,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,strcpy,strcat,RegOpenKeyA,lstrlenA,RegSetValueExA,0_2_004048A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040484B StartServiceCtrlDispatcherA,0_2_0040484B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040484B StartServiceCtrlDispatcherA,0_2_0040484B
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknownProcess created: C:\Windows\Systemxgy.exe C:\Windows\Systemxgy.exe
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\Systemxgy.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004048A6 GetModuleFileNameA,LoadLibraryA,GetProcAddress,strlen,strncmp,wsprintfA,strcat,strcat,CopyFileA,memset,strcpy,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,strcpy,strcat,RegOpenKeyA,lstrlenA,RegSetValueExA,0_2_004048A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405D20 push eax; ret 0_2_00405D4E

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknownExecutable created and started: C:\Windows\Systemxgy.exe
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Systemxgy.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Systemxgy.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phqghumeayJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040484B StartServiceCtrlDispatcherA,0_2_0040484B

Hooking and other Techniques for Hiding and Protection

barindex
Moves itself to temp directory
Source: c:\users\user\desktop\file.exeFile moved: C:\Users\user\AppData\Local\Temp\3cadfacJump to behavior
Source: C:\Windows\Systemxgy.exeThread delayed: delay time: 480000Jump to behavior
Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-1262
Source: C:\Windows\Systemxgy.exe TID: 5912Thread sleep time: -480000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004050D7 GetSystemInfo,??2@YAPAXI@Z,memset,memcpy,0_2_004050D7
Source: C:\Windows\Systemxgy.exeThread delayed: delay time: 480000Jump to behavior
Source: Systemxgy.exe, 00000001.00000002.3892890459.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004048A6 GetModuleFileNameA,LoadLibraryA,GetProcAddress,strlen,strncmp,wsprintfA,strcat,strcat,CopyFileA,memset,strcpy,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,strcpy,strcat,RegOpenKeyA,lstrlenA,RegSetValueExA,0_2_004048A6

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		14
Windows Service		14
Windows Service		22
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
Process Injection		21
Virtualization/Sandbox Evasion		LSASS Memory21
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe89%ReversingLabsWin32.Backdoor.Farfli
file.exe100%AviraHEUR/AGEN.1342186
file.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Systemxgy.exe100%AviraHEUR/AGEN.1342186
C:\Windows\Systemxgy.exe100%Joe Sandbox ML
C:\Windows\Systemxgy.exe89%ReversingLabsWin32.Backdoor.Farfli

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
zzz.hnyzh.co
205.185.126.56
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.baidu.com/search/spider.html)file.exe, Systemxgy.exe.0.drfalse
      		high
      http://www.google.com/bot.html)file.exe, Systemxgy.exe.0.drfalse
        		high

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        205.185.126.56
        		zzz.hnyzh.coUnited States
        		53667PONYNETUSfalse

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1583470
        Start date and time:2025-01-02 20:25:21 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 12s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:4
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:file.exe
        Detection:MAL
        Classification:mal92.evad.winEXE@2/2@1/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 6
        • Number of non-executed functions: 37
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • VT rate limit hit for: file.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        205.185.126.56lx64.elfGet hashmaliciousUnknownBrowse

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          zzz.hnyzh.colx64.elfGet hashmaliciousUnknownBrowse
          • 205.185.126.56

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          PONYNETUSfile.exeGet hashmaliciousGhostRat, NitolBrowse
          • 198.98.57.188
          lx64.elfGet hashmaliciousUnknownBrowse
          • 205.185.126.56
          https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3DGet hashmaliciousHTMLPhisherBrowse
          • 198.251.89.144
          arm6.elfGet hashmaliciousMirai, MoobotBrowse
          • 209.141.47.117
          JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
          • 107.189.14.43
          JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
          • 104.244.76.24
          Clienter.dll.dllGet hashmaliciousUnknownBrowse
          • 107.189.1.9
          SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
          • 198.251.84.200
          vpn.exeGet hashmaliciousMetasploitBrowse
          • 209.141.35.225

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Windows\Systemxgy.exe

          Download File
          Process:C:\Users\user\Desktop\file.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):36864
          Entropy (8bit):5.194063470375111
          Encrypted:false
          SSDEEP:768:SkqlrK5isV2AKTVV15bRjeK3gRJg6Dm/u5HfquaVwsaVwCx:xKIYApC6C/4/zaVwsaVwCx
          MD5:1D286B861D4B283BB79330B61D18FC26
          SHA1:AB6515E058793EFBC59DE100FED80D7A2714D205
          SHA-256:4CBC414D046F0CB106EC1CBC8753C47F5146A9942115324B80BE4503AC98FF40
          SHA-512:0ADA866040CE21E78732FA9A1AA9ED1E81F43E713FDE38EAE5C7034F9CDA412A35BB7D8CAE66829F42F3A4C0082722787E8F55F7155E9142D6AE3935ACFAD30B
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 89%
          Reputation:low
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..!l..!l..!l..Zp.. l..p..#l..Ns..*l..Ns..#l...c..*l..!l..~l...s.."l..Rich!l..........PE..L...4[^Y.................P...0.......].......`....@..........................................................................a.......................................................................................`...............................text...$O.......P.................. ..`.rdata.......`.......`..............@..@.data........p... ...p..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Systemxgy.exe:Zone.Identifier

          Download File
          Process:C:\Users\user\Desktop\file.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview:[ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):5.194063470375111
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:file.exe
          File size:36'864 bytes
          MD5:1d286b861d4b283bb79330b61d18fc26
          SHA1:ab6515e058793efbc59de100fed80d7a2714d205
          SHA256:4cbc414d046f0cb106ec1cbc8753c47f5146a9942115324b80be4503ac98ff40
          SHA512:0ada866040ce21e78732fa9a1aa9ed1e81f43e713fde38eae5c7034f9cda412a35bb7d8cae66829f42f3a4c0082722787e8f55f7155e9142d6ae3935acfad30b
          SSDEEP:768:SkqlrK5isV2AKTVV15bRjeK3gRJg6Dm/u5HfquaVwsaVwCx:xKIYApC6C/4/zaVwsaVwCx
          TLSH:8CF24A52BA0794A6E59300F4246AFBFFD9A3ACB9068EE45BFFC05D042674144F23620F
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!l..!l..!l..Zp.. l...p..#l..Ns..*l..Ns..#l...c..*l..!l..~l...s.."l..Rich!l..........PE..L...4[^Y.................P...0.....

          File Icon

          Icon Hash:00928e8e8686b000

          Static PE Info

          General

          Entrypoint:0x405d98
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          DLL Characteristics:
          Time Stamp:0x595E5B34 [Thu Jul 6 15:45:56 2017 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:b417d74ecba642ca8eceadf01d18afc0

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          push FFFFFFFFh
          push 004061E8h
          push 00405D50h
          mov eax, dword ptr fs:[00000000h]
          push eax
          mov dword ptr fs:[00000000h], esp
          sub esp, 68h
          push ebx
          push esi
          push edi
          mov dword ptr [ebp-18h], esp
          xor ebx, ebx
          mov dword ptr [ebp-04h], ebx
          push 00000002h
          call dword ptr [004060B8h]
          pop ecx
          or dword ptr [00408574h], FFFFFFFFh
          or dword ptr [00408578h], FFFFFFFFh
          call dword ptr [004060C0h]
          mov ecx, dword ptr [00408570h]
          mov dword ptr [eax], ecx
          call dword ptr [004060C4h]
          mov ecx, dword ptr [0040856Ch]
          mov dword ptr [eax], ecx
          mov eax, dword ptr [004060C8h]
          mov eax, dword ptr [eax]
          mov dword ptr [0040857Ch], eax
          call 00007FE6A8B011B5h
          cmp dword ptr [004084E0h], ebx
          jne 00007FE6A8B010AEh
          push 00405F14h
          call dword ptr [004060CCh]
          pop ecx
          call 00007FE6A8B01187h
          push 0040700Ch
          push 00407008h
          call 00007FE6A8B01172h
          mov eax, dword ptr [00408568h]
          mov dword ptr [ebp-6Ch], eax
          lea eax, dword ptr [ebp-6Ch]
          push eax
          push dword ptr [00408564h]
          lea eax, dword ptr [ebp-64h]
          push eax
          lea eax, dword ptr [ebp-70h]
          push eax
          lea eax, dword ptr [ebp-60h]
          push eax
          call dword ptr [004060D4h]
          push 00407004h
          push 00407000h
          call 00007FE6A8B0113Fh

          Rich Headers

          Programming Language:
          • [C++] VS98 (6.0) build 8168

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x61f40x8c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x60000x18c.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x4f240x5000473050cc994b7ebb5204af8da53aa950False0.384912109375data5.976631766130226IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x60000x8f00x1000e9d815d08c8b4dc9cbc16893a6526eacFalse0.2783203125data3.2178513504818738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x70000x15800x2000de1f64b96b21db6012583432bdb21ac4False0.1031494140625Matlab v4 mat-file (little endian) Eliminate small Japanese, numeric, rows 0, columns 03.7656788523032363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

          Imports

          DLLImport
          KERNEL32.dllMoveFileA, GetTempPathA, GetModuleFileNameA, lstrlenA, MoveFileExA, GlobalMemoryStatus, GetModuleHandleA, GetStartupInfoA, WaitForSingleObject, GetSystemInfo, CreateThread, CreateProcessA, GetFileAttributesA, GetLastError, LoadLibraryA, GetProcAddress, FreeLibrary, CreateFileA, WriteFile, CloseHandle, ExitThread, Sleep, GetCurrentProcessId, CopyFileA, GetTickCount
          USER32.dllMessageBoxA, wsprintfA
          ADVAPI32.dllCreateServiceA, ChangeServiceConfig2A, UnlockServiceDatabase, OpenServiceA, StartServiceA, RegSetValueExA, CloseServiceHandle, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, SetServiceStatus, RegOpenKeyExA, RegOpenKeyA, RegQueryValueExA, RegCloseKey, OpenSCManagerA, LockServiceDatabase
          WS2_32.dllselect, __WSAFDIsSet, recv, WSAIoctl, send, WSAStartup, WSASocketA, WSAGetLastError, setsockopt, htonl, sendto, WSACleanup, gethostbyname, socket, htons, connect, closesocket, inet_addr
          MSVCRT.dllstrlen, strcat, _controlfp, __set_app_type, strcpy, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _iob, malloc, free, rand, sprintf, memset, printf, fprintf, memcpy, _except_handler3, _local_unwind2, strstr, ??3@YAXPAX@Z, strrchr, ??2@YAPAXI@Z, strncmp
          iphlpapi.dllGetIfTable

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 2, 2025 20:26:12.578705072 CET497045388192.168.2.5205.185.126.56
          Jan 2, 2025 20:26:12.583621025 CET538849704205.185.126.56192.168.2.5
          Jan 2, 2025 20:26:12.583760977 CET497045388192.168.2.5205.185.126.56
          Jan 2, 2025 20:26:15.587136984 CET497045388192.168.2.5205.185.126.56
          Jan 2, 2025 20:26:15.591980934 CET538849704205.185.126.56192.168.2.5
          Jan 2, 2025 20:27:15.602766991 CET497045388192.168.2.5205.185.126.56
          Jan 2, 2025 20:27:15.607748032 CET538849704205.185.126.56192.168.2.5
          Jan 2, 2025 20:28:15.618454933 CET497045388192.168.2.5205.185.126.56
          Jan 2, 2025 20:28:15.623440027 CET538849704205.185.126.56192.168.2.5
          Jan 2, 2025 20:29:15.634138107 CET497045388192.168.2.5205.185.126.56
          Jan 2, 2025 20:29:15.638907909 CET538849704205.185.126.56192.168.2.5

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 2, 2025 20:26:12.086659908 CET5400553192.168.2.51.1.1.1
          Jan 2, 2025 20:26:12.573725939 CET53540051.1.1.1192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Jan 2, 2025 20:26:12.086659908 CET192.168.2.51.1.1.10x5650Standard query (0)zzz.hnyzh.coA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Jan 2, 2025 20:26:12.573725939 CET1.1.1.1192.168.2.50x5650No error (0)zzz.hnyzh.co205.185.126.56A (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:14:26:10
          Start date:02/01/2025
          Path:C:\Users\user\Desktop\file.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\file.exe"
          Imagebase:0x400000
          File size:36'864 bytes
          MD5 hash:1D286B861D4B283BB79330B61D18FC26
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:14:26:10
          Start date:02/01/2025
          Path:C:\Windows\Systemxgy.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\Systemxgy.exe
          Imagebase:0x400000
          File size:36'864 bytes
          MD5 hash:1D286B861D4B283BB79330B61D18FC26
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 100%, Joe Sandbox ML
          • Detection: 89%, ReversingLabs
          Reputation:low
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:9.6%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:16.3%
            Total number of Nodes:380
            Total number of Limit Nodes:1
            execution_graph 923 404f80 memset 936 401482 937 401469 936->937 938 4014aa _local_unwind2 937->938 939 40167e 937->939 940 4014f3 9 API calls 937->940 943 4015ca memcpy memcpy memset 937->943 944 401631 memcpy sendto 937->944 942 40168a 938->942 945 40168c 939->945 940->937 943->937 944->937 946 401692 closesocket 945->946 947 40169c WSACleanup 945->947 946->947 947->942 948 402883 memcpy 952 4028aa 948->952 949 402aa3 950 4028c0 ExitThread 951 40111d GetTickCount rand 951->952 952->949 952->950 952->951 968 40111d GetTickCount rand 952->968 954 402938 wsprintfA 969 4010da inet_addr 954->969 960 40111d GetTickCount rand 961 4029bd 960->961 961->960 977 40111d GetTickCount rand 961->977 963 402a1f wsprintfA 964 4010da 2 API calls 963->964 965 402a4e 964->965 966 401074 4 API calls 965->966 967 402a57 strlen send closesocket Sleep 966->967 967->952 968->954 970 4010f3 gethostbyname 969->970 971 401106 969->971 970->971 972 401074 socket 971->972 973 401094 htons connect 972->973 974 40108f strlen send closesocket 972->974 973->974 975 4010c4 closesocket 973->975 976 40111d GetTickCount rand 974->976 975->974 976->961 977->963 978 401a44 memcpy 982 401a6b 978->982 979 401c64 980 401a81 ExitThread 981 40111d GetTickCount rand 981->982 982->979 982->980 982->981 998 40111d GetTickCount rand 982->998 984 401af9 wsprintfA 985 4010da 2 API calls 984->985 986 401b28 985->986 987 401074 4 API calls 986->987 988 401b31 strlen send closesocket 987->988 999 40111d GetTickCount rand 988->999 990 40111d GetTickCount rand 991 401b7e 990->991 991->990 1000 40111d GetTickCount rand 991->1000 993 401be0 wsprintfA 994 4010da 2 API calls 993->994 995 401c0f 994->995 996 401074 4 API calls 995->996 997 401c18 strlen send closesocket Sleep 996->997 997->982 998->984 999->991 1000->993 1001 402609 memcpy WSAStartup WSASocketA 1002 402674 setsockopt 1001->1002 1007 40266d 1001->1007 1003 4026a0 1002->1003 1002->1007 1009 40114d inet_addr 1003->1009 1006 40272f 1006->1007 1008 40276c sendto 1006->1008 1008->1006 1010 401166 gethostbyname 1009->1010 1011 401179 GetCurrentProcessId GetTickCount memcpy memset 1009->1011 1010->1011 1011->1006 1012 4017ca memcpy WSAStartup WSASocketA 1013 401835 setsockopt 1012->1013 1015 40182e 1012->1015 1014 401861 1013->1014 1013->1015 1016 40114d 2 API calls 1014->1016 1017 401876 GetCurrentProcessId GetTickCount memcpy memset 1016->1017 1019 4018f0 1017->1019 1018 40192d sendto 1018->1019 1019->1015 1019->1018 1060 401190 1061 405d20 1060->1061 1062 4011ba memcpy WSAStartup 1061->1062 1063 401252 fprintf 1062->1063 1064 40126b WSASocketA 1062->1064 1063->1064 1065 4012a2 setsockopt 1064->1065 1066 401289 WSAGetLastError fprintf 1064->1066 1067 4012dc setsockopt 1065->1067 1068 4012cf printf 1065->1068 1066->1065 1069 401314 memset 1067->1069 1070 40130f 1067->1070 1068->1067 1071 40114d 2 API calls 1069->1071 1072 40168c 2 API calls 1070->1072 1073 40136a 8 API calls 1071->1073 1074 40168a 1072->1074 1077 401469 1073->1077 1075 4014aa _local_unwind2 1075->1074 1076 4014f3 9 API calls 1076->1077 1077->1070 1077->1075 1077->1076 1078 4015ca memcpy memcpy memset 1077->1078 1079 401631 memcpy sendto 1077->1079 1078->1077 1079->1077 1080 4058d1 1081 40591a GetIfTable 1080->1081 1082 4058eb GetIfTable 1080->1082 1084 405938 1081->1084 1086 405940 1081->1086 1082->1081 1083 405905 malloc 1082->1083 1083->1081 1085 405989 memcpy 1085->1086 1086->1084 1086->1085 1087 4050d7 GetSystemInfo 1088 405105 ??2@YAPAXI memset 1087->1088 1089 40513e memcpy 1087->1089 1088->1089 1090 405a17 GetIfTable 1091 405a55 1090->1091 1092 405a4e 1090->1092 1093 405a76 GetIfTable 1091->1093 1094 405a5b ??2@YAPAXI 1091->1094 1093->1092 1095 405a95 1093->1095 1094->1093 1096 405c1b GetTickCount 1095->1096 1098 405c0c GetTickCount ??3@YAXPAX 1095->1098 1096->1098 1098->1092 864 405d98 __set_app_type __p__fmode __p__commode 865 405e07 864->865 866 405e1b 865->866 867 405e0f __setusermatherr 865->867 876 405f02 _controlfp 866->876 867->866 869 405e20 _initterm __getmainargs _initterm 870 405e74 GetStartupInfoA 869->870 872 405ea8 GetModuleHandleA 870->872 877 40484b 872->877 876->869 886 404e68 strcpy strcat RegOpenKeyExA 877->886 880 404882 889 4048a6 GetModuleFileNameA LoadLibraryA GetProcAddress 880->889 881 40485a StartServiceCtrlDispatcherA 882 40489e exit _XcptFilter 881->882 887 404856 886->887 888 404f5f RegCloseKey 886->888 887->880 887->881 888->887 890 4049a4 strlen strncmp 889->890 891 4049d2 890->891 892 404a7d OpenSCManagerA 890->892 913 40111d GetTickCount rand 891->913 893 404ac0 892->893 894 404ac5 CreateServiceA LockServiceDatabase ChangeServiceConfig2A ChangeServiceConfig2A UnlockServiceDatabase 892->894 916 404e14 893->916 896 404bf2 GetLastError 894->896 897 404c3a StartServiceA 894->897 896->897 900 404bff OpenServiceA 896->900 897->893 901 404c54 strcpy strcat RegOpenKeyA lstrlenA RegSetValueExA 897->901 898 4049d9 914 40111d GetTickCount rand 898->914 904 404c24 900->904 905 404c29 StartServiceA 900->905 901->893 903 4049e7 915 40111d GetTickCount rand 903->915 904->893 905->897 908 4049f5 6 API calls 908->892 909 404546 6 API calls 910 4045e1 MoveFileExA 909->910 911 4045c9 MoveFileExA 909->911 912 4045f4 910->912 911->912 912->882 913->898 914->903 915->908 917 404e2a 916->917 918 404e1d CloseServiceHandle 916->918 919 404e40 917->919 920 404e33 CloseServiceHandle 917->920 918->917 921 404896 919->921 922 404e49 RegCloseKey 919->922 920->919 921->909 922->921 1099 4046da 1100 4046f7 1099->1100 1101 40481f SetServiceStatus 1099->1101 1100->1101 1102 404701 SetServiceStatus Sleep 1100->1102 1103 404794 SetServiceStatus Sleep 1100->1103 1104 40474a SetServiceStatus Sleep 1100->1104 1105 4047db SetServiceStatus Sleep 1100->1105 1102->1101 1103->1101 1104->1101 1105->1101 1106 40515e 1107 40517b GetModuleHandleA GetProcAddress 1106->1107 1108 4051a7 1106->1108 1107->1108 1112 4051a0 1107->1112 1109 405222 1108->1109 1110 4051e5 ??2@YAPAXI memset 1108->1110 1108->1112 1111 40522b ??2@YAPAXI memset 1109->1111 1109->1112 1110->1109 1111->1112 1120 40195f memcpy wsprintfA 1124 4019bc 1120->1124 1121 401a3b 1122 4019ce ExitThread 1123 4010da 2 API calls 1123->1124 1124->1121 1124->1122 1124->1123 1125 401074 4 API calls 1124->1125 1126 4019f2 strlen send closesocket Sleep 1125->1126 1126->1124 1127 4050a0 GlobalMemoryStatus memcpy 1128 4030e2 strlen 1129 403113 ??2@YAPAXI memcpy strrchr 1128->1129 1130 40310c 1128->1130 1131 403185 ??3@YAXPAX 1129->1131 1132 40315c 1129->1132 1131->1130 1138 402ec7 LoadLibraryA GetProcAddress 1132->1138 1137 40319b CreateProcessA ??3@YAXPAX 1137->1130 1139 402f30 1138->1139 1140 402f56 GetProcAddress 1139->1140 1141 402f3f 1139->1141 1144 402f81 1140->1144 1142 402f45 FreeLibrary 1141->1142 1143 402f4f 1141->1143 1142->1143 1143->1131 1156 4030ba GetFileAttributesA 1143->1156 1145 402fa1 CreateFileA 1144->1145 1146 402f8a 1144->1146 1148 403078 Sleep GetProcAddress 1145->1148 1149 402fcd memset GetProcAddress 1145->1149 1146->1143 1147 402f90 FreeLibrary 1146->1147 1147->1143 1151 403099 1148->1151 1150 403015 1149->1150 1152 403033 WriteFile 1150->1152 1153 40302d 1150->1153 1151->1143 1155 4030a9 FreeLibrary 1151->1155 1152->1149 1154 40306b CloseHandle 1152->1154 1153->1154 1154->1148 1155->1143 1157 4030cc GetLastError 1156->1157 1158 4030d7 1156->1158 1157->1158 1158->1131 1158->1137 1159 4054e8 1160 405531 GetIfTable 1159->1160 1161 405502 GetIfTable 1159->1161 1163 405556 1160->1163 1165 40554f 1160->1165 1161->1160 1162 40551c malloc 1161->1162 1162->1160 1164 4055c2 ??2@YAPAXI memset 1163->1164 1163->1165 1164->1165 1166 405eea _exit 1176 401c6c memcpy 1177 401cb6 wsprintfA 1176->1177 1178 401cdb wsprintfA 1176->1178 1182 401d05 1177->1182 1178->1182 1179 401d84 1180 401d17 ExitThread 1181 4010da 2 API calls 1181->1182 1182->1179 1182->1180 1182->1181 1183 401074 4 API calls 1182->1183 1184 401d3b strlen send closesocket Sleep 1183->1184 1184->1182 1203 405cb0 1208 404ff0 1203->1208 1206 405cd5 1207 405cc9 ??3@YAXPAX 1207->1206 1209 405020 1208->1209 1210 40500b ??3@YAXPAX 1208->1210 1211 405042 1209->1211 1212 405033 free 1209->1212 1210->1209 1213 405055 ??3@YAXPAX 1211->1213 1214 40506a 1211->1214 1212->1211 1213->1214 1215 405092 1214->1215 1216 40507d ??3@YAXPAX 1214->1216 1215->1206 1215->1207 1216->1215 1223 4045f8 6 API calls 1224 4046bb 1223->1224 1225 4046d6 1224->1225 1228 403ffb 1224->1228 1270 4032d6 htons 1228->1270 1231 404017 Sleep 1231->1224 1232 40401c strcpy RegOpenKeyExA 1233 404094 strstr 1232->1233 1234 404054 RegQueryValueExA RegCloseKey 1232->1234 1235 4040c5 strstr 1233->1235 1236 4040ac strcpy 1233->1236 1234->1233 1238 4040f6 strstr 1235->1238 1239 4040dd strcpy 1235->1239 1237 404258 1236->1237 1275 40333d RegOpenKeyA RegQueryValueExA RegCloseKey 1237->1275 1241 404127 strstr 1238->1241 1242 40410e strcpy 1238->1242 1239->1237 1244 404158 strstr 1241->1244 1245 40413f strcpy 1241->1245 1242->1237 1243 40425d GetSystemInfo Sleep sprintf strlen send 1246 4042e3 closesocket 1243->1246 1247 4042f4 1243->1247 1248 404170 strcpy 1244->1248 1249 404189 strstr 1244->1249 1245->1237 1246->1231 1276 403393 1247->1276 1248->1237 1251 4041a1 strcpy 1249->1251 1252 4041ba strstr 1249->1252 1251->1237 1253 4041d2 strcpy 1252->1253 1254 4041e8 strstr 1252->1254 1253->1237 1255 404200 strcpy 1254->1255 1256 404216 strstr 1254->1256 1255->1237 1257 404244 strcpy 1256->1257 1258 40422e strcpy 1256->1258 1257->1237 1258->1237 1259 404525 closesocket 1259->1231 1260 404302 1260->1259 1261 40439c select 1260->1261 1262 4043da __WSAFDIsSet 1260->1262 1264 4043c8 1260->1264 1265 40442c memcpy 1260->1265 1266 4044b4 memcpy CreateThread 1260->1266 1267 4044eb memcpy CreateThread 1260->1267 1268 40447c memcpy 1260->1268 1261->1260 1261->1264 1262->1260 1263 4043f4 recv 1262->1263 1263->1260 1263->1264 1264->1259 1265->1260 1266->1260 1267->1260 1280 40343b 1268->1280 1299 402e0e inet_addr 1270->1299 1273 403336 1273->1231 1273->1232 1274 403327 closesocket 1274->1273 1275->1243 1277 4033a9 setsockopt 1276->1277 1279 40339f 1276->1279 1278 4033cf WSAIoctl 1277->1278 1277->1279 1278->1279 1279->1260 1281 40344f 1280->1281 1290 40344a 1280->1290 1282 403513 1281->1282 1283 403627 1281->1283 1284 403558 1281->1284 1285 403489 1281->1285 1286 403669 1281->1286 1287 40359d 1281->1287 1288 4034ce 1281->1288 1289 4035e2 1281->1289 1281->1290 1282->1290 1292 403533 CreateThread CloseHandle 1282->1292 1283->1290 1293 403647 CreateThread CloseHandle 1283->1293 1284->1290 1294 403578 CreateThread CloseHandle 1284->1294 1285->1290 1295 4034a9 CreateThread CloseHandle 1285->1295 1286->1290 1296 403689 CreateThread CloseHandle 1286->1296 1287->1290 1297 4035bd CreateThread CloseHandle 1287->1297 1288->1290 1298 4034ee CreateThread CloseHandle 1288->1298 1289->1290 1291 403602 CreateThread CloseHandle 1289->1291 1290->1260 1291->1289 1292->1282 1293->1283 1294->1284 1295->1285 1296->1286 1297->1287 1298->1288 1300 402e27 gethostbyname 1299->1300 1301 402e3a socket connect 1299->1301 1300->1301 1301->1273 1301->1274 1302 4016b8 memcpy WSAStartup memset memset htons 1303 40114d 2 API calls 1302->1303 1304 401738 socket connect 1303->1304 1306 401763 1304->1306 1305 40179c 1306->1305 1307 4017a0 send 1306->1307 1307->1306 1308 403f79 WSAStartup Sleep 1309 403f9f 1308->1309 1310 403ff7 1309->1310 1311 403fa8 CreateThread WaitForSingleObject CloseHandle closesocket Sleep 1309->1311 1311->1309 1312 4031fa strlen 1313 403223 1312->1313 1314 40322a ??2@YAPAXI memcpy CreateProcessA ??3@YAXPAX CloseHandle 1312->1314 1314->1313 1315 4039fc 1357 40395f 1315->1357 1318 403a18 1319 403a1d strcpy RegOpenKeyExA 1320 403a95 strstr 1319->1320 1321 403a55 RegQueryValueExA RegCloseKey 1319->1321 1322 403ac6 strstr 1320->1322 1323 403aad strcpy 1320->1323 1321->1320 1325 403af7 strstr 1322->1325 1326 403ade strcpy 1322->1326 1324 403c59 1323->1324 1364 40333d RegOpenKeyA RegQueryValueExA RegCloseKey 1324->1364 1328 403b28 strstr 1325->1328 1329 403b0f strcpy 1325->1329 1326->1324 1331 403b40 strcpy 1328->1331 1332 403b59 strstr 1328->1332 1329->1324 1330 403c5e GetSystemInfo Sleep sprintf strlen send 1333 403ce4 closesocket 1330->1333 1334 403cf5 1330->1334 1331->1324 1335 403b71 strcpy 1332->1335 1336 403b8a strstr 1332->1336 1333->1318 1337 403393 2 API calls 1334->1337 1335->1324 1338 403ba2 strcpy 1336->1338 1339 403bbb strstr 1336->1339 1347 403d03 1337->1347 1338->1324 1340 403bd3 strcpy 1339->1340 1341 403be9 strstr 1339->1341 1340->1324 1342 403c01 strcpy 1341->1342 1343 403c17 strstr 1341->1343 1342->1324 1345 403c45 strcpy 1343->1345 1346 403c2f strcpy 1343->1346 1344 403f58 closesocket 1344->1318 1345->1324 1346->1324 1347->1344 1348 403d9d select 1347->1348 1349 403ddb __WSAFDIsSet 1347->1349 1351 403dc9 1347->1351 1352 403e2d memcpy 1347->1352 1353 403f08 memcpy MessageBoxA CreateThread 1347->1353 1354 403ebb memcpy MessageBoxA CreateThread 1347->1354 1355 403e7d memcpy 1347->1355 1348->1347 1348->1351 1349->1347 1350 403df5 recv 1349->1350 1350->1347 1350->1351 1351->1344 1352->1347 1353->1347 1354->1347 1365 4036cd 1355->1365 1384 402e51 1357->1384 1360 402e0e 2 API calls 1361 4039bc socket connect 1360->1361 1362 4039f5 1361->1362 1363 4039e6 closesocket 1361->1363 1362->1318 1362->1319 1363->1362 1364->1330 1366 4036e1 1365->1366 1367 4036dc 1365->1367 1366->1367 1368 403760 1366->1368 1369 403874 1366->1369 1370 4037a5 1366->1370 1371 4038b9 1366->1371 1372 4037ea 1366->1372 1373 40371b 1366->1373 1374 4038fb 1366->1374 1375 40382f 1366->1375 1367->1347 1368->1367 1381 403780 CreateThread CloseHandle 1368->1381 1369->1367 1382 403894 CreateThread CloseHandle 1369->1382 1370->1367 1383 4037c5 CreateThread CloseHandle 1370->1383 1371->1367 1376 4038d9 CreateThread CloseHandle 1371->1376 1372->1367 1377 40380a CreateThread CloseHandle 1372->1377 1373->1367 1378 40373b CreateThread CloseHandle 1373->1378 1374->1367 1379 40391b CreateThread CloseHandle 1374->1379 1375->1367 1380 40384f CreateThread CloseHandle 1375->1380 1376->1371 1377->1372 1378->1373 1379->1374 1380->1375 1381->1368 1382->1369 1383->1370 1385 402e63 htons 1384->1385 1385->1360

            Callgraph

            • Executed
            • Not Executed
            • Opacity -> Relevance
            • Disassembly available
            callgraph 0 Function_004022C1 6 Function_004024CB 0->6 34 Function_00401000 0->34 1 Function_00401A44 15 Function_004010DA 1->15 27 Function_00401074 1->27 50 Function_0040111D 1->50 2 Function_00404546 3 Function_00402EC7 4 Function_004017CA 9 Function_0040114D 4->9 5 Function_0040484B 5->2 21 Function_00404E68 5->21 54 Function_004048A6 5->54 7 Function_00402BCC 7->15 7->27 8 Function_004036CD 10 Function_00401FCF 10->6 10->9 10->34 52 Function_00405D20 10->52 11 Function_00402E51 12 Function_004058D1 13 Function_004032D6 42 Function_00402E0E 13->42 14 Function_004050D7 16 Function_004046DA 17 Function_0040515E 18 Function_0040195F 18->15 18->27 19 Function_0040395F 19->11 19->42 20 Function_004030E2 20->3 59 Function_004030BA 20->59 22 Function_004054E8 23 Function_00405EEA 24 Function_00401C6C 24->15 24->27 25 Function_00402CED 25->15 25->27 26 Function_00404FF0 28 Function_004024F7 28->9 29 Function_004045F8 32 Function_00403FFB 29->32 30 Function_00403F79 31 Function_004031FA 32->13 44 Function_00403393 32->44 60 Function_0040343B 32->60 61 Function_0040333D 32->61 33 Function_004039FC 33->8 33->19 33->44 33->61 35 Function_00404F80 36 Function_00405F02 37 Function_00401482 37->34 40 Function_0040168C 37->40 38 Function_00402883 38->15 38->27 38->50 39 Function_00402609 39->9 41 Function_00401D8D 41->15 41->27 43 Function_00401190 43->9 43->34 43->40 43->52 45 Function_00404E14 46 Function_00405F14 47 Function_00405F17 48 Function_00405A17 49 Function_00405D98 49->5 49->36 49->47 51 Function_0040279E 51->15 51->27 53 Function_004050A0 54->45 54->50 55 Function_00402AAB 55->15 55->27 56 Function_00401EAE 56->15 56->27 57 Function_00405CB0 57->26 58 Function_004016B8 58->9

            Executed Functions

            Function 004048A6 Relevance: 56.3, APIs: 26, Strings: 6, Instructions: 297stringserviceregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000,00000000,00405D50,004061B0,000000FF,?,00404896,phqghumeay,lnlfdxfircvscxggbwkf,nqduxwfnfozvsrtkjprepggxrpnrvy,00405ECC), ref: 004048DA
            • LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 0040497F
            • GetProcAddress.KERNEL32(00000000), ref: 00404986
            • strlen.MSVCRT ref: 004049AB
            • strncmp.MSVCRT ref: 004049C2
            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00404AAB
              • Part of subcall function 0040111D: GetTickCount.KERNEL32 ref: 00401123
              • Part of subcall function 0040111D: rand.MSVCRT ref: 0040112C
            • wsprintfA.USER32 ref: 00404A08
            • strcat.MSVCRT(?,004084B4), ref: 00404A1D
            • strcat.MSVCRT(?,?), ref: 00404A33
            • CopyFileA.KERNEL32(?,?,00000000), ref: 00404A4B
            • memset.MSVCRT ref: 00404A5F
            • strcpy.MSVCRT(?,?), ref: 00404A75
            • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404AF3
            • LockServiceDatabase.ADVAPI32(00000000), ref: 00404B06
            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,Ys@), ref: 00404B2C
            • ChangeServiceConfig2A.ADVAPI32(00000000,00000002,00015180), ref: 00404BD6
            • UnlockServiceDatabase.ADVAPI32(?), ref: 00404BE3
            • GetLastError.KERNEL32 ref: 00404BF2
            • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00404C0F
            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00404C34
            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00404C45
            • strcpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services\), ref: 00404D57
            • strcat.MSVCRT(?,?), ref: 00404D6A
            • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00404D85
            • lstrlenA.KERNEL32(?), ref: 00404DE3
            • RegSetValueExA.KERNELBASE(?,Description,00000000,00000001,?,00000000), ref: 00404E00
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: Service$Openstrcat$ChangeConfig2DatabaseFileStartstrcpy$AddressCopyCountCreateErrorLastLibraryLoadLockManagerModuleNameProcTickUnlockValuelstrlenmemsetrandstrlenstrncmpwsprintf
            • String ID: Description$GetWindowsDirectoryA$KERNEL32.dll$SYSTEM\CurrentControlSet\Services\$System%c%c%c.exe$Ys@
            • API String ID: 1037263667-1422571387
            • Opcode ID: eb6b3fee18de0f0e618686b07eef1114f718871ed6bee7923be9032beb08f327
            • Instruction ID: ddc84bb5c17fb71005d3a5cbce47219748127c7e894e54b94b796417c92abd28
            • Opcode Fuzzy Hash: eb6b3fee18de0f0e618686b07eef1114f718871ed6bee7923be9032beb08f327
            • Instruction Fuzzy Hash: 4DE14370D482A8DFEB22CB54DC48BDDBAB86B15704F0441D9E24D7A281C7BA1B94CF65
            Function 0040484B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 24COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00404E68: strcpy.MSVCRT(00000000,SYSTEM\CurrentControlSet\Services\), ref: 00404F22
              • Part of subcall function 00404E68: strcat.MSVCRT(00000000,phqghumeay), ref: 00404F36
              • Part of subcall function 00404E68: RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00404F55
              • Part of subcall function 00404E68: RegCloseKey.ADVAPI32(?), ref: 00404F63
            • StartServiceCtrlDispatcherA.ADVAPI32(phqghumeay), ref: 0040487A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: CloseCtrlDispatcherOpenServiceStartstrcatstrcpy
            • String ID: lnlfdxfircvscxggbwkf$nqduxwfnfozvsrtkjprepggxrpnrvy$phqghumeay
            • API String ID: 2081903712-1593379540
            • Opcode ID: 2397be007853676a9c839841e75d704087819706b2e0ecf1d7acc8175c7d6505
            • Instruction ID: f7d1596815c9f2c29b49f9ed5aa28e433b9c94b8e93ee437271dc918a615f366
            • Opcode Fuzzy Hash: 2397be007853676a9c839841e75d704087819706b2e0ecf1d7acc8175c7d6505
            • Instruction Fuzzy Hash: C3E0E5B2C04209A6E700FBA18D0676E77646B80308F04887E9E00B61C1D7BCA114E7AB
            Function 00405D98 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
            • String ID:
            • API String ID: 801014965-0
            • Opcode ID: b3dcb3d3aed725f02c53b639a1312d7d12e19c6bf4e79c04ef18bd16b7187e4d
            • Instruction ID: e9b0533161edfca8b3dd4721171a4ba11c5300663186981a96dc1615ed8767ad
            • Opcode Fuzzy Hash: b3dcb3d3aed725f02c53b639a1312d7d12e19c6bf4e79c04ef18bd16b7187e4d
            • Instruction Fuzzy Hash: E9416F71844748AFDB20DFA4DE45AAA7BB8EB09710F20413FE586B72D1C7785941CF98
            Function 00404546 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 51fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • memset.MSVCRT ref: 0040455D
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00404573
            • GetTempPathA.KERNEL32(00000104,?), ref: 00404585
            • GetTickCount.KERNEL32 ref: 0040458B
            • wsprintfA.USER32 ref: 004045A8
            • MoveFileA.KERNEL32(?,?), ref: 004045BF
            • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004045D4
            • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004045EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: File$Move$CountModuleNamePathTempTickmemsetwsprintf
            • String ID: %s\%x
            • API String ID: 3964544435-1694672422
            • Opcode ID: 673b0e1fedb8b576c61018b2bad397bf048ae2f60d28b5862c6f6fbd29d78fa5
            • Instruction ID: 5aa0d96a0a9caca7480b2414c1bdb656ca4030205114700bc37be99f7d342fca
            • Opcode Fuzzy Hash: 673b0e1fedb8b576c61018b2bad397bf048ae2f60d28b5862c6f6fbd29d78fa5
            • Instruction Fuzzy Hash: D911D6F5550208ABE720EB60DE8AFDA77BCDB04700F0045A5B70AF50D2EAB897948F65
            Function 00404E68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77registrystringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 48 404e68-404f5d strcpy strcat RegOpenKeyExA 49 404f70 48->49 50 404f5f-404f6e RegCloseKey 48->50 51 404f72-404f76 49->51 50->51
            APIs
            • strcpy.MSVCRT(00000000,SYSTEM\CurrentControlSet\Services\), ref: 00404F22
            • strcat.MSVCRT(00000000,phqghumeay), ref: 00404F36
            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00404F55
            • RegCloseKey.ADVAPI32(?), ref: 00404F63
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: CloseOpenstrcatstrcpy
            • String ID: SYSTEM\CurrentControlSet\Services\$phqghumeay
            • API String ID: 1717706559-1320492464
            • Opcode ID: 76d0650641b108a4a7024a2f66b41af03be49d1c5224f0d947ccd3954d1eecef
            • Instruction ID: a811d08a4cecba0c06c52649d059b88623e00b80f6672d41c2df3e9dcb829d50
            • Opcode Fuzzy Hash: 76d0650641b108a4a7024a2f66b41af03be49d1c5224f0d947ccd3954d1eecef
            • Instruction Fuzzy Hash: A931FF10D0C6C9D9EB02C2A8C8097EEBFB54B26349F0840D9D6847A282D7FE575887B6
            Function 00404E14 Relevance: 4.5, APIs: 3, Instructions: 16serviceregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 61 404e14-404e1b 62 404e2a-404e31 61->62 63 404e1d-404e24 CloseServiceHandle 61->63 64 404e40-404e47 62->64 65 404e33-404e3a CloseServiceHandle 62->65 63->62 66 404e56 64->66 67 404e49-404e50 RegCloseKey 64->67 65->64 67->66
            APIs
            • CloseServiceHandle.ADVAPI32(00000000,00404E12), ref: 00404E24
            • CloseServiceHandle.ADVAPI32(00000000,00404E12), ref: 00404E3A
            • RegCloseKey.KERNELBASE(00000000,00404E12), ref: 00404E50
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: Close$HandleService
            • String ID:
            • API String ID: 907781861-0
            • Opcode ID: df88ba2420c4e5576af235a9d1b9512e1e2c95130368c118f5465ae420b4160a
            • Instruction ID: 6b40e544d4cc24b11f69b6f6fb2a8579f0677bf83d93bcc87397db4c4dca0c73
            • Opcode Fuzzy Hash: df88ba2420c4e5576af235a9d1b9512e1e2c95130368c118f5465ae420b4160a
            • Instruction Fuzzy Hash: 6FE092B0901224CBCB36DB64DA4C79E7379AB80702F1080F8A20E7A190C7386FC4CF88

            Non-executed Functions

            Function 00403FFB Relevance: 101.8, APIs: 39, Strings: 19, Instructions: 339stringregistrysleepCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 130 403ffb-404015 call 4032d6 133 404017 130->133 134 40401c-404052 strcpy RegOpenKeyExA 130->134 135 404532-404535 133->135 136 404094-4040aa strstr 134->136 137 404054-40408e RegQueryValueExA RegCloseKey 134->137 138 4040c5-4040db strstr 136->138 139 4040ac-4040c0 strcpy 136->139 137->136 141 4040f6-40410c strstr 138->141 142 4040dd-4040f1 strcpy 138->142 140 404258-4042e1 call 40333d GetSystemInfo Sleep sprintf strlen send 139->140 149 4042e3-4042ef closesocket 140->149 150 4042f4-404302 call 403393 140->150 144 404127-40413d strstr 141->144 145 40410e-404122 strcpy 141->145 142->140 147 404158-40416e strstr 144->147 148 40413f-404153 strcpy 144->148 145->140 151 404170-404184 strcpy 147->151 152 404189-40419f strstr 147->152 148->140 149->135 159 404305-40430c 150->159 151->140 154 4041a1-4041b5 strcpy 152->154 155 4041ba-4041d0 strstr 152->155 154->140 157 4041d2-4041e6 strcpy 155->157 158 4041e8-4041fe strstr 155->158 157->140 160 404200-404214 strcpy 158->160 161 404216-40422c strstr 158->161 164 404312 159->164 165 404525-40452c closesocket 159->165 160->140 162 404244-404255 strcpy 161->162 163 40422e-404242 strcpy 161->163 162->140 163->140 166 40431c-404326 164->166 165->135 167 404337-404343 166->167 168 404345-404358 167->168 169 40435e-40436a 167->169 170 40435a 168->170 171 40435c 168->171 172 404396-40439a 169->172 173 40436c-404373 169->173 170->169 171->167 172->166 176 40439c-4043c6 select 172->176 173->172 175 404375-404390 173->175 175->172 177 4043c8 176->177 178 4043cd-4043d4 176->178 177->165 179 404520 178->179 180 4043da-4043ee __WSAFDIsSet 178->180 179->159 180->179 181 4043f4-40441c recv 180->181 182 404427 181->182 183 40441e-404425 181->183 182->165 183->182 184 40442c-404469 memcpy 183->184 184->179 185 40446f-404475 184->185 186 4044b4-4044e9 memcpy CreateThread 185->186 187 4044a8-4044b2 185->187 188 4044eb-40451a memcpy CreateThread 185->188 189 40447c-4044a6 memcpy call 40343b 185->189 186->179 187->179 188->179 189->179
            APIs
              • Part of subcall function 004032D6: htons.WS2_32(0000150C), ref: 004032E9
              • Part of subcall function 004032D6: socket.WS2_32(00000002,00000001,00000000), ref: 00403309
              • Part of subcall function 004032D6: connect.WS2_32(?,00000002,00000010), ref: 0040331C
              • Part of subcall function 004032D6: closesocket.WS2_32(?), ref: 0040332B
            • strcpy.MSVCRT(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00404028
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 0040404A
            • RegQueryValueExA.ADVAPI32(?,ProductName,00000000,?,?,000000C8), ref: 00404081
            • RegCloseKey.ADVAPI32(?), ref: 0040408E
            • strstr.MSVCRT ref: 004040A0
            • strcpy.MSVCRT(?,Windows Server 2000), ref: 004040B8
            • GetSystemInfo.KERNEL32(?), ref: 0040426A
            • Sleep.KERNEL32(00000BB8), ref: 00404281
            • sprintf.MSVCRT ref: 004042AD
            • strlen.MSVCRT ref: 004042BE
            • send.WS2_32(00000000,?,-00000001,00000000), ref: 004042D8
            • closesocket.WS2_32(00000000), ref: 004042E9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: closesocketstrcpy$CloseInfoOpenQuerySleepSystemValueconnecthtonssendsocketsprintfstrlenstrstr
            • String ID: 2000$2003$2008$2012$@$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 10$Windows 2012$Windows 7$Windows 8$Windows NT$Windows Server 2000$Windows Server 2003$Windows Server 2008$Windows Vista$Windows XP$XXOOXXOO:%s|%d|%d|%s
            • API String ID: 2276446589-4144121823
            • Opcode ID: 1a00aab1a2a436a703ab47969b9531ba76967906b80bea421ad8515685bde7b6
            • Instruction ID: 802e32aad8890fc60cc3bc0f9a75c956b0c585cd7c6da6b902cdcbc85f51d513
            • Opcode Fuzzy Hash: 1a00aab1a2a436a703ab47969b9531ba76967906b80bea421ad8515685bde7b6
            • Instruction Fuzzy Hash: 94D1B3B1900318A7DB20EB50DD49FAA7278AB94705F1085BFF709721C1EE799B84CF99
            Function 004050D7 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ??2@InfoSystemmemcpymemset
            • String ID:
            • API String ID: 1901411096-0
            • Opcode ID: 3b5abddb217f4ae06170e9385111b0eab8c62a40be7fed8196b49d535b0ec2cc
            • Instruction ID: e5b3322a5e119529ebe03db6c37c60a26b796171c60119775832e56069a878da
            • Opcode Fuzzy Hash: 3b5abddb217f4ae06170e9385111b0eab8c62a40be7fed8196b49d535b0ec2cc
            • Instruction Fuzzy Hash: 5F110A75E002089BCB08DFA8D885ADEB7B5EB98300F10C16AE8157B386D635E955CFA4
            Function 004039FC Relevance: 105.4, APIs: 41, Strings: 19, Instructions: 351stringregistrysleepCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 68 4039fc-403a16 call 40395f 71 403a18 68->71 72 403a1d-403a53 strcpy RegOpenKeyExA 68->72 73 403f65-403f68 71->73 74 403a95-403aab strstr 72->74 75 403a55-403a8f RegQueryValueExA RegCloseKey 72->75 76 403ac6-403adc strstr 74->76 77 403aad-403ac1 strcpy 74->77 75->74 79 403af7-403b0d strstr 76->79 80 403ade-403af2 strcpy 76->80 78 403c59-403ce2 call 40333d GetSystemInfo Sleep sprintf strlen send 77->78 87 403ce4-403cf0 closesocket 78->87 88 403cf5-403d03 call 403393 78->88 82 403b28-403b3e strstr 79->82 83 403b0f-403b23 strcpy 79->83 80->78 85 403b40-403b54 strcpy 82->85 86 403b59-403b6f strstr 82->86 83->78 85->78 89 403b71-403b85 strcpy 86->89 90 403b8a-403ba0 strstr 86->90 87->73 97 403d06-403d0d 88->97 89->78 92 403ba2-403bb6 strcpy 90->92 93 403bbb-403bd1 strstr 90->93 92->78 95 403bd3-403be7 strcpy 93->95 96 403be9-403bff strstr 93->96 95->78 98 403c01-403c15 strcpy 96->98 99 403c17-403c2d strstr 96->99 100 403d13 97->100 101 403f58-403f5f closesocket 97->101 98->78 102 403c45-403c56 strcpy 99->102 103 403c2f-403c43 strcpy 99->103 104 403d1d-403d27 100->104 101->73 102->78 103->78 105 403d38-403d44 104->105 106 403d46-403d59 105->106 107 403d5f-403d6b 105->107 110 403d5b 106->110 111 403d5d 106->111 108 403d97-403d9b 107->108 109 403d6d-403d74 107->109 108->104 114 403d9d-403dc7 select 108->114 109->108 113 403d76-403d91 109->113 110->107 111->105 113->108 115 403dc9 114->115 116 403dce-403dd5 114->116 115->101 117 403f53 116->117 118 403ddb-403def __WSAFDIsSet 116->118 117->97 118->117 119 403df5-403e1d recv 118->119 120 403e28 119->120 121 403e1f-403e26 119->121 120->101 121->120 122 403e2d-403e6a memcpy 121->122 122->117 123 403e70-403e76 122->123 124 403f08-403f4d memcpy MessageBoxA CreateThread 123->124 125 403ebb-403f06 memcpy MessageBoxA CreateThread 123->125 126 403eac-403eb6 123->126 127 403e7d-403ea7 memcpy call 4036cd 123->127 124->117 125->117 126->117 127->117
            APIs
              • Part of subcall function 0040395F: htons.WS2_32(00000015), ref: 004039A9
              • Part of subcall function 0040395F: socket.WS2_32(00000002,00000001,00000000), ref: 004039C8
              • Part of subcall function 0040395F: connect.WS2_32(?,00000002,00000010), ref: 004039DB
              • Part of subcall function 0040395F: closesocket.WS2_32(?), ref: 004039EA
            • strcpy.MSVCRT(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00403A29
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 00403A4B
            • RegQueryValueExA.ADVAPI32(?,ProductName,00000000,?,?,000000C8), ref: 00403A82
            • RegCloseKey.ADVAPI32(?), ref: 00403A8F
            • strstr.MSVCRT ref: 00403AA1
            • strcpy.MSVCRT(?,Windows Server 2000), ref: 00403AB9
            • GetSystemInfo.KERNEL32(?), ref: 00403C6B
            • Sleep.KERNEL32(00000BB8), ref: 00403C82
            • sprintf.MSVCRT ref: 00403CAE
            • strlen.MSVCRT ref: 00403CBF
            • send.WS2_32(00000000,?,-00000001,00000000), ref: 00403CD9
            • closesocket.WS2_32(00000000), ref: 00403CEA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: closesocketstrcpy$CloseInfoOpenQuerySleepSystemValueconnecthtonssendsocketsprintfstrlenstrstr
            • String ID: 2000$2003$2008$2012$@$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 10$Windows 2012$Windows 7$Windows 8$Windows NT$Windows Server 2000$Windows Server 2003$Windows Server 2008$Windows Vista$Windows XP$XXOOXXOO:%s|%d|%d|%s
            • API String ID: 2276446589-4144121823
            • Opcode ID: 00a7f91b9c0966fb5a9910401efcf838a6505e27283ee2cbc6bc2790fef36d28
            • Instruction ID: f235cde1a917e1bc2804ff82b889cdad9888d1a5da00452829f42721623e6625
            • Opcode Fuzzy Hash: 00a7f91b9c0966fb5a9910401efcf838a6505e27283ee2cbc6bc2790fef36d28
            • Instruction Fuzzy Hash: 01D1BF71900218ABDB20EF60DD45FAA7738AB44701F1085BEF609B61C1EF799B84CF99
            Function 00401FCF Relevance: 70.3, APIs: 33, Strings: 7, Instructions: 311networkCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: htonsmemcpyrand$inet_addr$fprintfhtonlmemsetsetsockopt$ErrorLastSocketStartup_local_unwind2gethostbynameprintfsprintf
            • String ID: %d.%d.%d.%d$($E$P$Set IP_HDRINCL Error!$WSASocket() failed: %d$WSAStartup failed: %d
            • API String ID: 1846842347-878675699
            • Opcode ID: da3699f669ba1dd641337ea84b96e98e7900e972e274363b06437990af5d0c14
            • Instruction ID: 20e9b25a680cac92a1dac3749700d9e4e1997eb56ab2c98728ddf45d447b9358
            • Opcode Fuzzy Hash: da3699f669ba1dd641337ea84b96e98e7900e972e274363b06437990af5d0c14
            • Instruction Fuzzy Hash: F9D16AB1D503199BEB20DB60CC49FDEB778AF48704F0041AAE169B62C1E6F917C48F69
            Function 00401190 Relevance: 70.3, APIs: 33, Strings: 7, Instructions: 311networkCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: htonsmemcpyrand$inet_addr$fprintfhtonlmemsetsetsockopt$ErrorLastSocketStartup_local_unwind2gethostbynameprintfsprintf
            • String ID: %d.%d.%d.%d$($E$P$Set IP_HDRINCL Error!$WSASocket() failed: %d$WSAStartup failed: %d
            • API String ID: 1846842347-878675699
            • Opcode ID: e5ff427615f747fd6b5e7bcd6e710d3d37d062b9ea958ecb812e4d7084f4bad3
            • Instruction ID: 5e59592a32ad7a4f9840655d7ec24cf65f5d3b10420301201df7bd79668f1317
            • Opcode Fuzzy Hash: e5ff427615f747fd6b5e7bcd6e710d3d37d062b9ea958ecb812e4d7084f4bad3
            • Instruction Fuzzy Hash: BFD17BB1D503199BDB20DB60CC49FDEB778AF48704F0045EAE169B62D1E6B907C48F6A
            Function 00402EC7 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 134libraryloaderfileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 254 402ec7-402f3d LoadLibraryA GetProcAddress 256 402f56-402f88 GetProcAddress 254->256 257 402f3f-402f43 254->257 262 402fa1-402fc7 CreateFileA 256->262 263 402f8a-402f8e 256->263 258 402f45-402f49 FreeLibrary 257->258 259 402f4f-402f51 257->259 258->259 260 4030b6-4030b9 259->260 266 403078-4030a7 Sleep GetProcAddress 262->266 267 402fcd-403019 memset GetProcAddress 262->267 264 402f90-402f94 FreeLibrary 263->264 265 402f9a-402f9c 263->265 264->265 265->260 275 4030b3 266->275 276 4030a9-4030ad FreeLibrary 266->276 270 403033-403065 WriteFile 267->270 271 40301b-40302b 267->271 270->267 273 40306b-403072 CloseHandle 270->273 271->270 272 40302d-403031 271->272 272->273 273->266 275->260 276->275
            APIs
            • LoadLibraryA.KERNEL32(wininet.dll), ref: 00402F05
            • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 00402F17
            • FreeLibrary.KERNEL32(00000000), ref: 00402F49
            • GetProcAddress.KERNEL32(?,InternetOpenUrlA), ref: 00402F5F
            • FreeLibrary.KERNEL32(00000000), ref: 00402F94
            • CreateFileA.KERNEL32(00000001,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00402FB4
            • memset.MSVCRT ref: 00402FDB
            • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 00402FEC
            • WriteFile.KERNEL32(000000FF,?,00000000,00000000,00000000), ref: 00403058
            • CloseHandle.KERNEL32(000000FF), ref: 00403072
            • Sleep.KERNEL32(00000001), ref: 0040307A
            • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 00403089
            • FreeLibrary.KERNEL32(00000000), ref: 004030AD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: AddressLibraryProc$Free$File$CloseCreateHandleLoadSleepWritememset
            • String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
            • API String ID: 683241894-4269851202
            • Opcode ID: 95cb8328261dceeb03cc35ea7d77830b9ff5521f34750c3da9d8994d616deb61
            • Instruction ID: 22ba6335609661dcd7fd72d8973190791ee57a9960577a8202563918c44b35b4
            • Opcode Fuzzy Hash: 95cb8328261dceeb03cc35ea7d77830b9ff5521f34750c3da9d8994d616deb61
            • Instruction Fuzzy Hash: 7551F1B5A40218AFDB20DFA0CD49BEE7B74AF08705F5041A9F606B62C0C7795A85CF5D
            Function 004036CD Relevance: 24.2, APIs: 16, Instructions: 188COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 321 4036cd-4036da 322 4036e1-40370b 321->322 323 4036dc 321->323 324 40393b-40393e 322->324 325 403711-403714 322->325 323->324 326 403760-403767 325->326 327 403874-40387b 325->327 328 4037a5-4037ac 325->328 329 4038b9-4038c0 325->329 330 4037ea-4037f1 325->330 331 40371b-403722 325->331 332 4038fb-403902 325->332 333 40382f-403836 325->333 337 403772-40377e 326->337 338 403886-403892 327->338 339 4037b7-4037c3 328->339 340 4038cb-4038d7 329->340 341 4037fc-403808 330->341 334 40372d-403739 331->334 335 40390d-403919 332->335 336 403841-40384d 333->336 346 40375b 334->346 347 40373b-403759 CreateThread CloseHandle 334->347 335->324 348 40391b-403939 CreateThread CloseHandle 335->348 349 40386f 336->349 350 40384f-40386d CreateThread CloseHandle 336->350 351 4037a0 337->351 352 403780-40379e CreateThread CloseHandle 337->352 353 4038b4 338->353 354 403894-4038b2 CreateThread CloseHandle 338->354 355 4037e5 339->355 356 4037c5-4037e3 CreateThread CloseHandle 339->356 342 4038f9 340->342 343 4038d9-4038f7 CreateThread CloseHandle 340->343 344 40382a 341->344 345 40380a-403828 CreateThread CloseHandle 341->345 342->324 343->340 344->324 345->341 346->324 347->334 348->335 349->324 350->336 351->324 352->337 353->324 354->338 355->324 356->339
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b4cb4dbb08bd3c5ac4bc471a37251c35482052054573a4338dc82b526bcd5fe
            • Instruction ID: 12057715b15e4bff95f6bbdf1a98955074afccefc94fdebf973198f540c6e4b2
            • Opcode Fuzzy Hash: 5b4cb4dbb08bd3c5ac4bc471a37251c35482052054573a4338dc82b526bcd5fe
            • Instruction Fuzzy Hash: A371FFB0644204FBDB04CF94CE89FAD7BB5BB44705F2080AAF5467B2D0C7B96B41AB59
            Function 0040343B Relevance: 24.2, APIs: 16, Instructions: 188COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 277 40343b-403448 278 40344a 277->278 279 40344f-403479 277->279 280 4036a9-4036ac 278->280 279->280 281 40347f-403482 279->281 282 4035e2-4035e9 281->282 283 403513-40351a 281->283 284 403627-40362e 281->284 285 403558-40355f 281->285 286 403489-403490 281->286 287 403669-403670 281->287 288 40359d-4035a4 281->288 289 4034ce-4034d5 281->289 297 4035f4-403600 282->297 290 403525-403531 283->290 291 403639-403645 284->291 292 40356a-403576 285->292 293 40349b-4034a7 286->293 294 40367b-403687 287->294 295 4035af-4035bb 288->295 296 4034e0-4034ec 289->296 300 403553 290->300 301 403533-403551 CreateThread CloseHandle 290->301 302 403667 291->302 303 403647-403665 CreateThread CloseHandle 291->303 304 403598 292->304 305 403578-403596 CreateThread CloseHandle 292->305 306 4034c9 293->306 307 4034a9-4034c7 CreateThread CloseHandle 293->307 294->280 308 403689-4036a7 CreateThread CloseHandle 294->308 309 4035dd 295->309 310 4035bd-4035db CreateThread CloseHandle 295->310 311 40350e 296->311 312 4034ee-40350c CreateThread CloseHandle 296->312 298 403622 297->298 299 403602-403620 CreateThread CloseHandle 297->299 298->280 299->297 300->280 301->290 302->280 303->291 304->280 305->292 306->280 307->293 308->294 309->280 310->295 311->280 312->296
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 172c1c28881b180fd94eea58cf0f15981e052242e26dd09486257aa3f6aa364c
            • Instruction ID: 517ef12de7895c2b57f2298a320f9cec570e0d57db15f344f1775425e9bba1ef
            • Opcode Fuzzy Hash: 172c1c28881b180fd94eea58cf0f15981e052242e26dd09486257aa3f6aa364c
            • Instruction Fuzzy Hash: C2713A70644208FBDB04CF90DD49BAD7BB9BB44706F30806AF6467B2D0C7B96B41AB59
            Function 00401A44 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 170stringthreadnetworkCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ExitThreadclosesocketmemcpysendstrlenwsprintf
            • String ID: %c%c%c%c%c%c%c%c%s$%c%c%c%c%c%c%c%c.%s
            • API String ID: 3102603583-3176756361
            • Opcode ID: 71c34f0ced3861ba9fe66cc5bf42b470322efc773240954c9547cde8edfd6dc6
            • Instruction ID: 1238b62af3d0bdbc50e0538c59d979ba8e13356075ec0e44a509e34ce2249e5e
            • Opcode Fuzzy Hash: 71c34f0ced3861ba9fe66cc5bf42b470322efc773240954c9547cde8edfd6dc6
            • Instruction Fuzzy Hash: 165164F3E4010877EF44ABA0EC47FAE7168AB54304F0440B6FB09B92D2F575AB554A6B
            Function 00402883 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 170stringthreadnetworkCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ExitThreadclosesocketmemcpysendstrlenwsprintf
            • String ID: %c%c%c%c%c%c%c%c%s$%c%c%c%c%c%c%c%c.%s
            • API String ID: 3102603583-3176756361
            • Opcode ID: ca8fa067eefdb34945f2d4bd4bea33a4e068cb74d718b52d8bdf502316294f29
            • Instruction ID: 929e72273ec245c799fcb709ae5862dbe23c1d79b34a1fee0b5b2dab238f489c
            • Opcode Fuzzy Hash: ca8fa067eefdb34945f2d4bd4bea33a4e068cb74d718b52d8bdf502316294f29
            • Instruction Fuzzy Hash: C75177F3E4010877EF4467A0DC47FAE7268AB54304F0440B5FB09B92D2F575AB554A6B
            Function 00402BCC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00402BEC
            • wsprintfA.USER32 ref: 00402C30
              • Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
              • Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7
              • Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080
            • wsprintfA.USER32 ref: 00402C5C
            • ExitThread.KERNEL32 ref: 00402C79
            • strlen.MSVCRT ref: 00402CAD
            • send.WS2_32(?,00000000,-00000001,00000000), ref: 00402CC7
            • closesocket.WS2_32(?), ref: 00402CD4
            • Sleep.KERNEL32(00000032), ref: 00402CDC
            Strings
            • P, xrefs: 00402C0D
            • POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M, xrefs: 00402C24
            • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00402C50
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
            • String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P$POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M
            • API String ID: 154462434-1912558112
            • Opcode ID: df110f8bc908860bb4162b2fdcc99f3b9363853b4f998da4e01779a3e2c3f2d0
            • Instruction ID: 8896fb7e1c9864b4baf9e6d5e8a865d74aea116e9e1a1b5532e7031fe9cde2ae
            • Opcode Fuzzy Hash: df110f8bc908860bb4162b2fdcc99f3b9363853b4f998da4e01779a3e2c3f2d0
            • Instruction Fuzzy Hash: 3231A4F2900118ABDB14DB64CD49FDF7778AB48301F0045FAE70AB6281E6745B958F59
            Function 00401C6C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00401C8C
            • wsprintfA.USER32 ref: 00401CD0
              • Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
              • Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7
              • Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080
            • wsprintfA.USER32 ref: 00401CFC
            • ExitThread.KERNEL32 ref: 00401D19
            • strlen.MSVCRT ref: 00401D4D
            • send.WS2_32(?,00000000,-00000001,00000000), ref: 00401D67
            • closesocket.WS2_32(?), ref: 00401D74
            • Sleep.KERNEL32(00000032), ref: 00401D7C
            Strings
            • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00401CC4
            • P, xrefs: 00401CAD
            • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00401CF0
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
            • String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P
            • API String ID: 154462434-2388081876
            • Opcode ID: 53183e0abc2f4f9f1189f1a366ac6c965d2657aaee48a759cbac26da2936ec1e
            • Instruction ID: 45b6686e291ba135dd7788b18d7bce6fc68adcbb1477829a5583968df3fa6b54
            • Opcode Fuzzy Hash: 53183e0abc2f4f9f1189f1a366ac6c965d2657aaee48a759cbac26da2936ec1e
            • Instruction Fuzzy Hash: 9C31D4F2D00118ABDB10DB64DC45FEB7778AF48301F0045BAE70AB2191E6746B858F69
            Function 00402CED Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00402D0D
            • wsprintfA.USER32 ref: 00402D51
              • Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
              • Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7
              • Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080
            • wsprintfA.USER32 ref: 00402D7D
            • ExitThread.KERNEL32 ref: 00402D9A
            • strlen.MSVCRT ref: 00402DCE
            • send.WS2_32(?,00000000,-00000001,00000000), ref: 00402DE8
            • closesocket.WS2_32(?), ref: 00402DF5
            • Sleep.KERNEL32(00000032), ref: 00402DFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
            • String ID: GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$P
            • API String ID: 154462434-1069297859
            • Opcode ID: 8f2ac87358f9a8d5d2bd41150b58849e2fd3683b15391c02120d2f6df87ff6ce
            • Instruction ID: fff3a6067a2630bb3bc1e9f737657de35c2815911e891584a9d2263832ca7c7d
            • Opcode Fuzzy Hash: 8f2ac87358f9a8d5d2bd41150b58849e2fd3683b15391c02120d2f6df87ff6ce
            • Instruction Fuzzy Hash: 4231C4F2900218ABDB10DB54CD45FDB777CAF48301F0041BAE70AB6181E6745B858FA9
            Function 00401D8D Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00401DAD
            • wsprintfA.USER32 ref: 00401DF1
              • Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
              • Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7
              • Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080
            • wsprintfA.USER32 ref: 00401E1D
            • ExitThread.KERNEL32 ref: 00401E3A
            • strlen.MSVCRT ref: 00401E6E
            • send.WS2_32(?,00000000,-00000001,00000000), ref: 00401E88
            • closesocket.WS2_32(?), ref: 00401E95
            • Sleep.KERNEL32(00000032), ref: 00401E9D
            Strings
            • POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M, xrefs: 00401DE5
            • P, xrefs: 00401DCE
            • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00401E11
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
            • String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P$POST %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:M
            • API String ID: 154462434-1912558112
            • Opcode ID: 2af80075af831c4008d09f3f96540f850d6949dcbfe8ab437d85dd57497d2db9
            • Instruction ID: a6b99945afbe447f8bdaecfe330ce57f9cdbf6324ea44ce5b564f32879747ad1
            • Opcode Fuzzy Hash: 2af80075af831c4008d09f3f96540f850d6949dcbfe8ab437d85dd57497d2db9
            • Instruction Fuzzy Hash: 7731D4F2D00118ABDB10DB64CC45FEFB378AF48301F0041BAE70AB6191E6746B958FA9
            Function 00402AAB Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00402ACB
            • wsprintfA.USER32 ref: 00402B0F
              • Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
              • Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7
              • Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080
            • wsprintfA.USER32 ref: 00402B3B
            • ExitThread.KERNEL32 ref: 00402B58
            • strlen.MSVCRT ref: 00402B8C
            • send.WS2_32(?,00000000,-00000001,00000000), ref: 00402BA6
            • closesocket.WS2_32(?), ref: 00402BB3
            • Sleep.KERNEL32(00000032), ref: 00402BBB
            Strings
            • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00402B2F
            • P, xrefs: 00402AEC
            • GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00402B03
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
            • String ID: GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$P
            • API String ID: 154462434-2388081876
            • Opcode ID: 9298624c8e1cd6283d0ab6827bce019e84d39c546a8de6f8c5644b108d3af92e
            • Instruction ID: b23db13192b3788b63b1b506df417dcc76435c4f3cc11f61f17a21f45d5f02b5
            • Opcode Fuzzy Hash: 9298624c8e1cd6283d0ab6827bce019e84d39c546a8de6f8c5644b108d3af92e
            • Instruction Fuzzy Hash: 6D31B3F2900118ABDB14DB64CD45FDBB778AB44301F0041FAE70AB6181E6746B958F69
            Function 00401EAE Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 83sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00401ECE
            • wsprintfA.USER32 ref: 00401F12
              • Part of subcall function 004010DA: inet_addr.WS2_32(?), ref: 004010E4
              • Part of subcall function 004010DA: gethostbyname.WS2_32(?), ref: 004010F7
              • Part of subcall function 00401074: socket.WS2_32(00000002,00000001,00000000), ref: 00401080
            • wsprintfA.USER32 ref: 00401F3E
            • ExitThread.KERNEL32 ref: 00401F5B
            • strlen.MSVCRT ref: 00401F8F
            • send.WS2_32(?,00000000,-00000001,00000000), ref: 00401FA9
            • closesocket.WS2_32(?), ref: 00401FB6
            • Sleep.KERNEL32(00000032), ref: 00401FBE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: wsprintf$ExitSleepThreadclosesocketgethostbynameinet_addrmemcpysendsocketstrlen
            • String ID: GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$P
            • API String ID: 154462434-1069297859
            • Opcode ID: ee66044a3dc641d93d1b3e0c30ead929e13fdc4d5c83b316f3624db1efc017d3
            • Instruction ID: eca8cc41eef249492272eb02307d9ef7a06d7c075444b2e363efce4dd12abecc
            • Opcode Fuzzy Hash: ee66044a3dc641d93d1b3e0c30ead929e13fdc4d5c83b316f3624db1efc017d3
            • Instruction Fuzzy Hash: 8C31A4F2900118ABDB10DBA4CC45FDB7778AF48301F0045FAE70AB6191E7755B958F59
            Function 0040515E Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 261libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 00405185
            • GetProcAddress.KERNEL32(00000000), ref: 0040518C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: NtQuerySystemInformation$ntdll
            • API String ID: 1646373207-3593917365
            • Opcode ID: c4be4d57a3522ae43abd89f4c0ee8544aa4e2301068ec1a9cad122ca17f8694d
            • Instruction ID: 3264232e6a7bfee26da61973510c67d1dacd9247a3d6e3d6b7b8354ee11b32c5
            • Opcode Fuzzy Hash: c4be4d57a3522ae43abd89f4c0ee8544aa4e2301068ec1a9cad122ca17f8694d
            • Instruction Fuzzy Hash: 14C12C74A00609DFDB28CF54DA95B9EB7B5FB58310F21816DD806AB392CB34E952CF84
            Function 004030E2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ??2@??3@memcpystrlenstrrchr
            • String ID: D
            • API String ID: 2685092370-2746444292
            • Opcode ID: 95e34ce429fc10a3249ac51d20dd093f4ba7e8e7093b3f8e0ca4c3437270c73f
            • Instruction ID: 9a0e29f2f4d9fd1375a805a68f984a3708dc3e3ffaf2d3f3e0abf3b5249a97fc
            • Opcode Fuzzy Hash: 95e34ce429fc10a3249ac51d20dd093f4ba7e8e7093b3f8e0ca4c3437270c73f
            • Instruction Fuzzy Hash: A8315EF1D002099BDB00DFE4CC4ABAFBBB9AF48304F10453AE505BB281E6799A45CB95
            Function 0040195F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ExitSleepThreadclosesocketmemcpysendstrlenwsprintf
            • String ID: GET %s HTTP/1.1
            • API String ID: 2428105366-1228824774
            • Opcode ID: af700700319e85517c0fe3d12fd47b262259b98475dde106fc30792fa5e9a691
            • Instruction ID: 87035f9a59ba0ee08f4bfd36adc0c1830135b250edc15aaf9ee70e326725c221
            • Opcode Fuzzy Hash: af700700319e85517c0fe3d12fd47b262259b98475dde106fc30792fa5e9a691
            • Instruction Fuzzy Hash: 7821A4F2900208ABD710DB64DD45FEB7778AB84301F0045BAE705B6291EA359B558F99
            Function 0040279E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67sleepstringthreadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ExitSleepThreadclosesocketmemcpysendstrlenwsprintf
            • String ID: GET %s HTTP/1.1
            • API String ID: 2428105366-1228824774
            • Opcode ID: abf6eaf39c44e4efa543fdfe644cfdebd91817a6c5e60f155f5642da00b30941
            • Instruction ID: 7d9b9eb363a0a16c27ceb9e8e5b29316b7b1e4974faf4cbd78f1f8191bc3b6ca
            • Opcode Fuzzy Hash: abf6eaf39c44e4efa543fdfe644cfdebd91817a6c5e60f155f5642da00b30941
            • Instruction Fuzzy Hash: A321C6B2900208ABD710DB64DD45FEF777CAF88301F0085B9E709B62C1EA759B558F59
            Function 004045F8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46sleepregistrythreadCOMMON
            Download Yara Rule
            APIs
            • RegisterServiceCtrlHandlerA.ADVAPI32(phqghumeay,004046DA), ref: 0040460B
            • SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040465D
            • Sleep.KERNEL32(000001F4), ref: 00404672
            • SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040468E
            • WSAStartup.WS2_32(00000202,?), ref: 004046A0
            • CreateThread.KERNEL32(00000000,00000000,Function_00003F79,00000000,00000000,00000000), ref: 004046B5
            • Sleep.KERNEL32(000001F4), ref: 004046CE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: Service$SleepStatus$CreateCtrlHandlerRegisterStartupThread
            • String ID: phqghumeay
            • API String ID: 2259269688-3681123028
            • Opcode ID: 031517925a19d44b7b87a93e304b076f8e829e226e20a6f13bb548c47de79449
            • Instruction ID: e787513983a48fdee6ca49b53397f8218b7f537956fa0234dcbf9c9ae5bf48b0
            • Opcode Fuzzy Hash: 031517925a19d44b7b87a93e304b076f8e829e226e20a6f13bb548c47de79449
            • Instruction Fuzzy Hash: 70110970684303ABE3109F60EF0EF553AA4A744709F10443DBA467A2E3EBB964549FAD
            Function 004017CA Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 004017E9
            • WSAStartup.WS2_32(00000202,?), ref: 004017FD
            • WSASocketA.WS2_32(00000002,00000003,00000001,00000000,00000000,00000001), ref: 00401819
            • setsockopt.WS2_32(000000FF,0000FFFF,00001005,000007D0,00000004), ref: 0040184F
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: SocketStartupmemcpysetsockopt
            • String ID:
            • API String ID: 1414131647-0
            • Opcode ID: 5987cc774e7c0e4cf83971a2b8de4bd1eb5fb853af5b1f8313979153893f5a13
            • Instruction ID: ae193bf8e6dfcf6be80bea22a789e91b64a13073cf49401c26853e4a959efe62
            • Opcode Fuzzy Hash: 5987cc774e7c0e4cf83971a2b8de4bd1eb5fb853af5b1f8313979153893f5a13
            • Instruction Fuzzy Hash: DF4153B1900218DAFB60DB64DD49FAA7774AF04704F1046FAE60EB62D1DBB41A88CF56
            Function 00402609 Relevance: 13.6, APIs: 9, Instructions: 99networkCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00402628
            • WSAStartup.WS2_32(00000202,?), ref: 0040263C
            • WSASocketA.WS2_32(00000002,00000003,00000001,00000000,00000000,00000001), ref: 00402658
            • setsockopt.WS2_32(000000FF,0000FFFF,00001005,000007D0,00000004), ref: 0040268E
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: SocketStartupmemcpysetsockopt
            • String ID:
            • API String ID: 1414131647-0
            • Opcode ID: a103d9dbe7e42f3d492da224d946d619c555e856eb256a1171765b8bea5a4613
            • Instruction ID: ebcde8c040ba5c605652543b5f3693abec3ce4aa0523f0b3af999954ffa1b85e
            • Opcode Fuzzy Hash: a103d9dbe7e42f3d492da224d946d619c555e856eb256a1171765b8bea5a4613
            • Instruction Fuzzy Hash: 844144749403189AFB64DB64DD4DF9A7374BF04704F1046FAE60DB62C1DBB41A888F56
            Function 004046DA Relevance: 13.6, APIs: 9, Instructions: 62sleepCOMMON
            Download Yara Rule
            APIs
            • SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 00404720
            • Sleep.KERNEL32(000001F4), ref: 0040472B
            • SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040476A
            • Sleep.KERNEL32(000001F4), ref: 00404775
            • SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 004047B4
            • Sleep.KERNEL32(000001F4), ref: 004047BF
            • SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 004047FA
            • Sleep.KERNEL32(000001F4), ref: 00404805
            • SetServiceStatus.ADVAPI32(00000000,004084F0), ref: 0040482B
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ServiceStatus$Sleep
            • String ID:
            • API String ID: 4108286180-0
            • Opcode ID: 7b9259c6701b6267053f848a5fdc2b24f879cc77d11c1c6f7a47b8c7cae808c0
            • Instruction ID: 7d708cc0f453a7ab1292acc82068290849e9b87896a347453b50e982a4755dd7
            • Opcode Fuzzy Hash: 7b9259c6701b6267053f848a5fdc2b24f879cc77d11c1c6f7a47b8c7cae808c0
            • Instruction Fuzzy Hash: 4331D0B1541202EFD344DF54EF08B463BA9A744308F10803DE782772A3EFBA6584AB5C
            Function 00405A17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON
            Download Yara Rule
            APIs
            • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 00405A40
            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000001), ref: 00405A5F
            • GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 00405A80
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: Table$??2@
            • String ID: z
            • API String ID: 3055424098-1657960367
            • Opcode ID: 9c6b0a12ce9f2ccbaa7304c5aeae0112cad770da942ba275c552d3110d3eed4b
            • Instruction ID: 7f82c094eb5475c471e1d07be25d9791ccb12e02723633ca1eb636df58f5aea8
            • Opcode Fuzzy Hash: 9c6b0a12ce9f2ccbaa7304c5aeae0112cad770da942ba275c552d3110d3eed4b
            • Instruction Fuzzy Hash: AD81D674D00619EFDB14CF54DA84B9EBBB5FB49304F1081AAE409B7390DB786A85CF48
            Function 004031FA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66processstringCOMMON
            Download Yara Rule
            APIs
            • strlen.MSVCRT ref: 00403212
            • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 00403231
            • memcpy.MSVCRT(00000000,?,-00000001), ref: 00403251
            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004032A9
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 004032B9
            • CloseHandle.KERNEL32(?), ref: 004032C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ??2@??3@CloseCreateHandleProcessmemcpystrlen
            • String ID: D
            • API String ID: 3685439360-2746444292
            • Opcode ID: 5ac9660e63a628742ffa694b8b034b147a8f7de7091280ea27d5633dc0bdd6b8
            • Instruction ID: a482e95f188377e2f93ebefe3bf7e31a7a7b2bc2a7937dcf561fab8338ac9f07
            • Opcode Fuzzy Hash: 5ac9660e63a628742ffa694b8b034b147a8f7de7091280ea27d5633dc0bdd6b8
            • Instruction Fuzzy Hash: 8821E8B1D102089BDB00DFE4D859BEFBBB5FF48304F104129E509BB280E77A9945CB99
            Function 004024F7 Relevance: 12.1, APIs: 8, Instructions: 76networkCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 00402516
            • WSAStartup.WS2_32(00000202,?), ref: 0040252A
            • memset.MSVCRT ref: 0040253E
            • memset.MSVCRT ref: 0040254E
            • htons.WS2_32(?), ref: 00402561
              • Part of subcall function 0040114D: inet_addr.WS2_32(?), ref: 00401157
              • Part of subcall function 0040114D: gethostbyname.WS2_32(?), ref: 0040116A
            • socket.WS2_32(00000002,00000002,00000011), ref: 00402583
            • connect.WS2_32(?,00000002,00000010), ref: 0040259C
            • send.WS2_32(?,?,00000400,00000000), ref: 004025F4
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: memset$Startupconnectgethostbynamehtonsinet_addrmemcpysendsocket
            • String ID:
            • API String ID: 399500395-0
            • Opcode ID: a8d06ed6b536dead68c746dfe58156b4a7fb1720027fb0663e76995ad6ac756f
            • Instruction ID: fddbe04875415fd2b070f17c0c1f2081c11e6b8b2d0dd4d748e579f4833bb378
            • Opcode Fuzzy Hash: a8d06ed6b536dead68c746dfe58156b4a7fb1720027fb0663e76995ad6ac756f
            • Instruction Fuzzy Hash: 4721B6B5901308EBEB10DB60DE0AFFE7374BF44704F0044A9EA067A2D1D7B59A549F59
            Function 004016B8 Relevance: 12.1, APIs: 8, Instructions: 76networkCOMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,?,00000118), ref: 004016D7
            • WSAStartup.WS2_32(00000202,?), ref: 004016EB
            • memset.MSVCRT ref: 004016FF
            • memset.MSVCRT ref: 0040170F
            • htons.WS2_32(?), ref: 00401722
              • Part of subcall function 0040114D: inet_addr.WS2_32(?), ref: 00401157
              • Part of subcall function 0040114D: gethostbyname.WS2_32(?), ref: 0040116A
            • socket.WS2_32(00000002,00000002,00000011), ref: 00401744
            • connect.WS2_32(?,00000002,00000010), ref: 0040175D
            • send.WS2_32(?,?,00000400,00000000), ref: 004017B5
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: memset$Startupconnectgethostbynamehtonsinet_addrmemcpysendsocket
            • String ID:
            • API String ID: 399500395-0
            • Opcode ID: f48b6a6da6a7b8866ff8ae4bb3b1162af9d65dc11cbd137a28805d80e909559a
            • Instruction ID: 72ac3324d718496a0a9a2e1f2e79cb37c147b3028460a5f94b26d3df48a2aa65
            • Opcode Fuzzy Hash: f48b6a6da6a7b8866ff8ae4bb3b1162af9d65dc11cbd137a28805d80e909559a
            • Instruction Fuzzy Hash: 7321C3B5900308ABEB10DB60CD0AFFE7374AB44704F0045AAEA067A2D1D7B95A548F99
            Function 00403F79 Relevance: 10.5, APIs: 7, Instructions: 36sleepsynchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WS2_32(00000202,?), ref: 00403F8E
            • Sleep.KERNEL32(00075300), ref: 00403F99
            • CreateThread.KERNEL32(00000000,00000000,Function_000039FC,00000000,00000000,00000000), ref: 00403FB7
            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403FCB
            • CloseHandle.KERNEL32(00000000), ref: 00403FD7
            • closesocket.WS2_32(00000000), ref: 00403FE4
            • Sleep.KERNEL32(0000012C), ref: 00403FEF
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: Sleep$CloseCreateHandleObjectSingleStartupThreadWaitclosesocket
            • String ID:
            • API String ID: 1209398346-0
            • Opcode ID: 6b5100a307f7bb03ae9e81a3a6f0713488704acac8a47056eb52832176ffa2e4
            • Instruction ID: f254a680b066a287b89c4b23f0b848ca249bbbb146f3853f2104391c06f03928
            • Opcode Fuzzy Hash: 6b5100a307f7bb03ae9e81a3a6f0713488704acac8a47056eb52832176ffa2e4
            • Instruction Fuzzy Hash: 03F06835680300BFE710AF70AE0EF653739A745706F104139BB17B52E0CAB559108F6D
            Function 0040395F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50networkCOMMON
            Download Yara Rule
            APIs
            • htons.WS2_32(00000015), ref: 004039A9
              • Part of subcall function 00402E0E: inet_addr.WS2_32(?), ref: 00402E18
              • Part of subcall function 00402E0E: gethostbyname.WS2_32(?), ref: 00402E2B
            • socket.WS2_32(00000002,00000001,00000000), ref: 004039C8
            • connect.WS2_32(?,00000002,00000010), ref: 004039DB
            • closesocket.WS2_32(?), ref: 004039EA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
            • String ID: nc.cc25yr.o
            • API String ID: 1954806591-1254599725
            • Opcode ID: 3abe8d685ed55232de8edaf63dd1218babf7ef1746143090d1975e6c7765a82d
            • Instruction ID: c4cd32d014cfd96db3cf8a496bf25a229dbc4bce63e2c648c3f90e98d41e8445
            • Opcode Fuzzy Hash: 3abe8d685ed55232de8edaf63dd1218babf7ef1746143090d1975e6c7765a82d
            • Instruction Fuzzy Hash: 9D119D70C08289DAEB01CBF8D909BAEBBB56F12304F040259E5407A2C2D7FA4754C7E6
            Function 004032D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34networkCOMMON
            Download Yara Rule
            APIs
            • htons.WS2_32(0000150C), ref: 004032E9
              • Part of subcall function 00402E0E: inet_addr.WS2_32(?), ref: 00402E18
              • Part of subcall function 00402E0E: gethostbyname.WS2_32(?), ref: 00402E2B
            • socket.WS2_32(00000002,00000001,00000000), ref: 00403309
            • connect.WS2_32(?,00000002,00000010), ref: 0040331C
            • closesocket.WS2_32(?), ref: 0040332B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
            • String ID: zzz.hnyzh.co
            • API String ID: 1954806591-438907287
            • Opcode ID: 209a9b9dd495b061f164d766f77d2db8d558899c1df9b973b97231f909545fb6
            • Instruction ID: ea55fe1ec0ec8f3ebfa55634e1fe86464d9ba577327a18efdfeda344e4bb8486
            • Opcode Fuzzy Hash: 209a9b9dd495b061f164d766f77d2db8d558899c1df9b973b97231f909545fb6
            • Instruction Fuzzy Hash: 69F0A474D00204EBDB00DBF09E4AA6E7778AF04710F500665F911BA2D1D7745E00976A
            Function 0040333D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 0040335F
            • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000004,?,00000004), ref: 0040337C
            • RegCloseKey.ADVAPI32(?), ref: 00403386
            Strings
            • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00403355
            • ~MHz, xrefs: 00403373
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
            • API String ID: 3677997916-2226868861
            • Opcode ID: f740e64da41fe9b9092cdfbc9bba7ee9c68d22e9dddcec7c798d278ed5edc45c
            • Instruction ID: d0f86a942cb0c189bb861b5d57f8b7fd4d381205da96400f73d5a48398b44a69
            • Opcode Fuzzy Hash: f740e64da41fe9b9092cdfbc9bba7ee9c68d22e9dddcec7c798d278ed5edc45c
            • Instruction Fuzzy Hash: 4AF058B5940208FBDB00DBD4CD49FBEB77CEB08301F1046ADEA1277280D6746614CB54
            Function 004054E8 Relevance: 7.8, APIs: 5, Instructions: 305COMMON
            Download Yara Rule
            APIs
            • GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 00405512
            • malloc.MSVCRT ref: 00405523
            • GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 00405541
            • ??2@YAPAXI@Z.MSVCRT(?), ref: 004055CE
            • memset.MSVCRT ref: 004055F7
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: Table$??2@mallocmemset
            • String ID:
            • API String ID: 2602573864-0
            • Opcode ID: 3963b5f7b5c2ea763ccca7d7c8bdd1d25aad7ce011bfbb0ed20ce6a73da47b75
            • Instruction ID: c8f740c0ebae116feca87dfdb30511d738ab3e81f26805e00a7e9c4019b0d005
            • Opcode Fuzzy Hash: 3963b5f7b5c2ea763ccca7d7c8bdd1d25aad7ce011bfbb0ed20ce6a73da47b75
            • Instruction Fuzzy Hash: C2E1A975A005099FCB08DF44D2949AEFBB6FB98304F29C1A9D8156B396C730ED42CFA5
            Function 004058D1 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
            Download Yara Rule
            APIs
            • GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 004058FB
            • malloc.MSVCRT ref: 0040590C
            • GetIfTable.IPHLPAPI(00000000,?,00000000), ref: 0040592A
            • memcpy.MSVCRT(00000008,00000260,00000100,00000000,?,00000000), ref: 00405A01
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: Table$mallocmemcpy
            • String ID:
            • API String ID: 1265661173-0
            • Opcode ID: 0f4610ecdd7b7a42556f1386c1315cbeab420d1f8fd25009bacce7701b1ed7b3
            • Instruction ID: 23ad0d819bd260b5a54d7ed1dbd1ffc2d4f763d93d077053e6da68674a1848d9
            • Opcode Fuzzy Hash: 0f4610ecdd7b7a42556f1386c1315cbeab420d1f8fd25009bacce7701b1ed7b3
            • Instruction Fuzzy Hash: 0D411C74A00508EFCB08DF54C494AAEF7B5FF89314F14C2AAD855AB395C635AE81CF84
            Function 00404FF0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: ??3@$free
            • String ID:
            • API String ID: 2241099983-0
            • Opcode ID: 51d11b32999006aebaac96294b12bae7eedff7485b3dba08f4a7a54d4bb72f08
            • Instruction ID: 60c112be218109a9fd47a0d968c03d109b5f93aeb1bbfda9a16fab82623cbeb9
            • Opcode Fuzzy Hash: 51d11b32999006aebaac96294b12bae7eedff7485b3dba08f4a7a54d4bb72f08
            • Instruction Fuzzy Hash: 7921C4B8A00219DBDB04DF94C894BAFB7B1FB44304F1485A9E8156B381D77AE946CF94
            Function 00401074 Relevance: 6.0, APIs: 4, Instructions: 36networkCOMMON
            Download Yara Rule
            APIs
            • socket.WS2_32(00000002,00000001,00000000), ref: 00401080
            • htons.WS2_32(?), ref: 004010A5
            • connect.WS2_32(000000FF,00000002,00000010), ref: 004010B9
            • closesocket.WS2_32(000000FF), ref: 004010C8
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: closesocketconnecthtonssocket
            • String ID:
            • API String ID: 3817148366-0
            • Opcode ID: 9c053e00c0cdda2e46995ee3025bfcc69ab33e8ba0ad32669d41eb8457726b43
            • Instruction ID: 5c07ddbe1fb0fa1d9396f2f96b37480c17b7462d35912e14a8db5dbd34f170a6
            • Opcode Fuzzy Hash: 9c053e00c0cdda2e46995ee3025bfcc69ab33e8ba0ad32669d41eb8457726b43
            • Instruction Fuzzy Hash: 39018170900209DBCB10DFB4DA09ABEB374BF04320F504725F562BA2E1D3B59A408BA6
            Function 004050A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GlobalMemoryStatus.KERNEL32(00000020), ref: 004050B4
            • memcpy.MSVCRT(?,?,0000001C), ref: 004050C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2030192685.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2030176936.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030206580.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030220474.0000000000407000.00000008.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000000.00000002.2030236075.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_file.jbxd
            Similarity
            • API ID: GlobalMemoryStatusmemcpy
            • String ID:
            • API String ID: 2050503402-3916222277
            • Opcode ID: 6e75a4f245179bf84d98224b577ed0044bcf3c3ee22476d6b8fd93221b42b97f
            • Instruction ID: 9716cbb7558b91ebbdc56a41d9e6485860ada124d9ae5638e0acd554cd5a5761
            • Opcode Fuzzy Hash: 6e75a4f245179bf84d98224b577ed0044bcf3c3ee22476d6b8fd93221b42b97f
            • Instruction Fuzzy Hash: B4E08CB2C0420CA7DB00EBD4E849EDEB7B8AB48300F008129FA0466281E77995548BA9