Edit tour

Windows Analysis Report
cbot.exe

Overview

General Information

Sample name:	cbot.exe
Analysis ID:	1587731
MD5:	800dcb9f93715f5ed7189be2e35aebd9
SHA1:	5d0a60c1e85bed844bb98a864c04d87e1b66c76d
SHA256:	cff151ab7a8c0d221278758e76f71fc6c120d22bc39bf98daabfe1f450642a6f
Tags:	DDoSexeuser-NDA0E
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

cbot.exe (PID: 3356 cmdline: "C:\Users\user\Desktop\cbot.exe" MD5: 800DCB9F93715F5ED7189BE2E35AEBD9)

svchost.exe (PID: 1084 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" MD5: 800DCB9F93715F5ED7189BE2E35AEBD9)

cleanup

Sigma Signatures

System Summary

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , ProcessId: 1084, ProcessName: svchost.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\cbot.exe, ProcessId: 3356, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , ProcessId: 1084, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	Virustotal: Detection: 23%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	Virustotal: Detection: 23%	Perma Link

Multi AV Scanner detection for submitted file

Source: cbot.exe	ReversingLabs: Detection: 21%
Source: cbot.exe	Virustotal: Detection: 23%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: cbot.exe

Joe Sandbox ML: detected

Source: cbot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Network Connect: 154.213.192.42 3778

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 154.213.192.42:3778

Source: Joe Sandbox View

ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42

Source: C:\Users\user\Desktop\cbot.exe

Code function: 0_2_00007FF6DF563D58 htons,inet_addr,Sleep,send,send,send,send,send,memset,recv,recv,perror,closesocket,Sleep,

0_2_00007FF6DF563D58

Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6DF567DF0		0_2_00007FF6DF567DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF77CFC7DF0		2_2_00007FF77CFC7DF0

Source: classification engine

Classification label: mal88.adwa.evad.winEXE@2/3@0/1

Source: C:\Users\user\Desktop\cbot.exe

Code function: 0_2_00007FF6DF5633E2 CreateToolhelp32Snapshot,GetLastError,Process32First,strcmp,Process32Next,CloseHandle,CloseHandle,Sleep,SleepEx,

0_2_00007FF6DF5633E2

Source: C:\Users\user\Desktop\cbot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cbot.exe	ReversingLabs: Detection: 21%
Source: cbot.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\cbot.exe

File read: C:\Users\user\Desktop\cbot.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cbot.exe "C:\Users\user\Desktop\cbot.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

Source: C:\Users\user\Desktop\cbot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: cbot.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: cbot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: cbot.exe	Static PE information: section name: UPX2
Source: cbot.exe.0.dr	Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe			Jump to dropped file
Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)			Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe			Jump to dropped file
Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\cbot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe			Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe\:Zone.Identifier:$DATA			Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cbot.exe, cbot.exe, 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: cbot.exe, cbot.exe, 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: NLCLIENTAPP.EXEWIRESHARK.EXEDUMPCAP.EXEX64DBG.EXEX32DBG.EXEPROCESSHACKER.EXEBOT.EXEBOT.EXECREATETOOLHELP32SNAPSHOT FAILED. ERROR: %LU
Source: cbot.exe, cbot.exe, 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: DUMPCAP.EXE
Source: cbot.exe, cbot.exe, 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\cbot.exe	Window / User API: threadDelayed 3898			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Window / User API: threadDelayed 3759			Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe TID: 6640	Thread sleep count: 3898 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe TID: 6640	Thread sleep time: -7796000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe TID: 6640	Thread sleep count: 230 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe TID: 6640	Thread sleep time: -460000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 1248	Thread sleep count: 3759 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 1248	Thread sleep time: -7518000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 1248	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 1248	Thread sleep time: -144000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\cbot.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Last function: Thread delayed

Source: cbot.exe, 00000000.00000002.4534881440.000002CBDBFB4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4534899848.000002151E213000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\cbot.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6DF561190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,exit,	0_2_00007FF6DF561190
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6DF56AA8A SetUnhandledExceptionFilter,	0_2_00007FF6DF56AA8A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF77CFC1190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,exit,	2_2_00007FF77CFC1190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF77CFCAA8A SetUnhandledExceptionFilter,	2_2_00007FF77CFCAA8A

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Network Connect: 154.213.192.42 3778

Jump to behavior

Source: cbot.exe, cbot.exe, 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp

Binary or memory string: Wireshark.exe

Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6DF562666 socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	0_2_00007FF6DF562666
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6DF56241D socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	0_2_00007FF6DF56241D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF77CFC241D socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	2_2_00007FF77CFC241D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF77CFC2666 socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	2_2_00007FF77CFC2666

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
cbot.exe	21%	ReversingLabs
cbot.exe	24%	Virustotal	Browse
cbot.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	21%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	24%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	21%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	24%	Virustotal	Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.213.192.42	unknown	Seychelles		132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587731
Start date and time:	2025-01-10 17:30:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cbot.exe
Detection:	MAL
Classification:	mal88.adwa.evad.winEXE@2/3@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 12 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
11:32:03	API Interceptor	4113x Sleep call for process: cbot.exe modified
11:32:15	API Interceptor	3816x Sleep call for process: svchost.exe modified
17:31:31	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	154.213.39.66
	armv4l.elf	Get hash	malicious	Unknown	Browse	156.253.200.172
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	154.203.26.164
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	156.243.249.53
	sora.arm7.elf	Get hash	malicious	Unknown	Browse	154.216.35.228
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	gompsl.elf	Get hash	malicious	Mirai	Browse	156.251.7.182
	garm5.elf	Get hash	malicious	Mirai	Browse	156.242.206.46
	garm7.elf	Get hash	malicious	Mirai	Browse	156.242.206.54
	gmips.elf	Get hash	malicious	Mirai	Browse	156.251.7.140

Process:	C:\Users\user\Desktop\cbot.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	154772
Entropy (8bit):	7.054263895609286
Encrypted:	false
SSDEEP:	1536:/LtDu076JchveHZHAsFXGDDkDNsJQ337Tcxg3cXf3NsMpphw6p0HP94Y8udRivy:TtD9+dHNAe2v8Ns67wg3af9skh4eS/i6
MD5:	800DCB9F93715F5ED7189BE2E35AEBD9
SHA1:	5D0A60C1E85BED844BB98A864C04D87E1B66C76D
SHA-256:	CFF151AB7A8C0D221278758E76F71FC6C120D22BC39BF98DAABFE1F450642A6F
SHA-512:	F8BFBB0AF933AD0F4CF96B27811CBA1520AC436D3A511D26D1A005813B0B19FBC4B613BEBECB2F847A072CD59002F489F81AC98EE34DD84125706BBE6AC215F2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 24%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.B........&....&.........p.............@............................. ............`... .................................................P...............x...........P...................................(...................................................UPX0.....p..............................UPX1................................@...UPX2................................@...3.94.UPX!.$...5........{......I..R...a.z.....f.....kx...KQc...D....>o.\%Qx..?o!.>......A%..#:V.,Wb.;%.U}.....t^.\|..:.....r...e_H..g.....F.Ju.X......I.P%........pe..l....M.<.Gskoa.5&)7..A.1.w.'`.J..E.}..T!.RjH-/o...8A.....1...Y.wp%..S.x'...)k.... Kx.......uj.Dg.~...]7..%.)..7@O$...R....7..m..1..Z..G\j.>.;^.<..]t..h.F..=...oMv..u....\k............,..}."....8..F.....6..yRbT)....l?....(..[`.=B...!ADMo..5V.P....}l...%N.H..i.P_.l..'r....H&..kcO..g.4...Lx.o.8zJJ......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)

Download File

Process:	C:\Users\user\Desktop\cbot.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	154772
Entropy (8bit):	7.054263895609286
Encrypted:	false
SSDEEP:	1536:/LtDu076JchveHZHAsFXGDDkDNsJQ337Tcxg3cXf3NsMpphw6p0HP94Y8udRivy:TtD9+dHNAe2v8Ns67wg3af9skh4eS/i6
MD5:	800DCB9F93715F5ED7189BE2E35AEBD9
SHA1:	5D0A60C1E85BED844BB98A864C04D87E1B66C76D
SHA-256:	CFF151AB7A8C0D221278758E76F71FC6C120D22BC39BF98DAABFE1F450642A6F
SHA-512:	F8BFBB0AF933AD0F4CF96B27811CBA1520AC436D3A511D26D1A005813B0B19FBC4B613BEBECB2F847A072CD59002F489F81AC98EE34DD84125706BBE6AC215F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 24%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.B........&....&.........p.............@............................. ............`... .................................................P...............x...........P...................................(...................................................UPX0.....p..............................UPX1................................@...UPX2................................@...3.94.UPX!.$...5........{......I..R...a.z.....f.....kx...KQc...D....>o.\%Qx..?o!.>......A%..#:V.,Wb.;%.U}.....t^.\|..:.....r...e_H..g.....F.Ju.X......I.P%........pe..l....M.<.Gskoa.5&)7..A.1.w.'`.J..E.}..T!.RjH-/o...8A.....1...Y.wp%..S.x'...)k.... Kx.......uj.Dg.~...]7..%.)..7@O$...R....7..m..1..Z..G\j.>.;^.<..]t..h.F..=...oMv..u....\k............,..}."....8..F.....6..yRbT)....l?....(..[`.=B...!ADMo..5V.P....}l...%N.H..i.P_.l..'r....H&..kcO..g.4...Lx.o.8zJJ......

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.054263895609286
TrID:	Win64 Executable GUI (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	cbot.exe
File size:	154'772 bytes
MD5:	800dcb9f93715f5ed7189be2e35aebd9
SHA1:	5d0a60c1e85bed844bb98a864c04d87e1b66c76d
SHA256:	cff151ab7a8c0d221278758e76f71fc6c120d22bc39bf98daabfe1f450642a6f
SHA512:	f8bfbb0af933ad0f4cf96b27811cba1520ac436d3a511d26d1a005813b0b19fbc4b613bebecb2f847a072cd59002f489f81ac98ee34dd84125706bbe6ac215f2
SSDEEP:	1536:/LtDu076JchveHZHAsFXGDDkDNsJQ337Tcxg3cXf3NsMpphw6p0HP94Y8udRivy:TtD9+dHNAe2v8Ns67wg3af9skh4eS/i6
TLSH:	BAE34AE066E85D86FA24527D41C7D222273CFBE1C7434B07493476362E63BD27DC266A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.B........&....&.........p.............@............................. ............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14007fbd0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x677FF49E [Thu Jan 9 16:09:02 2025 UTC]
TLS Callbacks:	0x400807b4, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f09dfdec43a86f0214209d98673dd7a5

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFFE844Ah]
dec eax
lea edi, dword ptr [esi-00067025h]
push edi
mov eax, 0007D898h
push eax
dec eax
mov ecx, esp
dec eax
mov edx, edi
dec eax
mov edi, esi
mov esi, 00017BA9h
push ebp
dec eax
mov ebp, esp
inc esp
mov ecx, dword ptr [ecx]
dec ecx
mov eax, edx
dec eax
mov edx, esi
dec eax
lea esi, dword ptr [edi+02h]
push esi
mov al, byte ptr [edi]
dec edx
mov cl, al
and al, 07h
shr cl, 00000003h
dec eax
mov ebx, FFFFFD00h
dec eax
shl ebx, cl
mov cl, al
dec eax
lea ebx, dword ptr [esp+ebx*2-00000E78h]
dec eax
and ebx, FFFFFFC0h
push 00000000h
dec eax
cmp esp, ebx
jne 00007FF2F8EB7F2Bh
push ebx
dec eax
lea edi, dword ptr [ebx+08h]
mov cl, byte ptr [esi-01h]
dec edx
mov byte ptr [edi+02h], al
mov al, cl
shr cl, 00000004h
mov byte ptr [edi+01h], cl
and al, 0Fh
mov byte ptr [edi], al
dec eax
lea ecx, dword ptr [edi-04h]
push eax
inc ecx
push edi
dec eax
lea eax, dword ptr [edi+04h]
inc ebp
xor edi, edi
inc ecx
push esi
inc ecx
mov esi, 00000001h
inc ecx
push ebp
inc ebp
xor ebp, ebp
inc ecx
push esp
push ebp
push ebx
dec eax
mov dword ptr [esp-10h], ecx
dec eax
mov dword ptr [esp-28h], eax
mov eax, 00000001h
dec eax
mov dword ptr [esp-08h], esi
dec esp
mov dword ptr [esp-18h], eax
mov ebx, eax
inc esp
mov dword ptr [esp-1Ch], ecx
movzx ecx, byte ptr [edi+02h]
shl ebx, cl
mov ecx, ebx
dec eax
mov ebx, dword ptr [esp+38h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x81000	0x150	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x678	UPX0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81150	0x14	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x807e0	0x28	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x67000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x68000	0x19000	0x18a00	f41f1ea65f943a5bd10b513b61e18c03	False	0.9843849143401016	data	7.988732441146602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x81000	0x1000	0x200	7d6ce4d078252eaccdfee320f323b357	False	0.40234375	data	2.962088078182722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
msvcrt.dll	atoi
SHELL32.dll	SHGetSpecialFolderPathA
WS2_32.dll	bind

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:31:29.184557915 CET	49704	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:29.189996958 CET	3778	49704	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:29.190090895 CET	49704	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:29.190756083 CET	49704	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:29.197690964 CET	3778	49704	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:29.198656082 CET	49704	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:29.203567028 CET	3778	49704	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:29.814238071 CET	3778	49704	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:29.856040001 CET	49704	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:29.947685003 CET	3778	49704	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:29.996642113 CET	49704	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:40.977214098 CET	49705	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:40.982199907 CET	3778	49705	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:40.982295990 CET	49705	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:40.983053923 CET	49705	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:40.987875938 CET	3778	49705	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:40.987926960 CET	49705	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:40.992767096 CET	3778	49705	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:41.607908964 CET	3778	49705	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:41.652678967 CET	49705	3778	192.168.2.5	154.213.192.42
Jan 10, 2025 17:31:41.743381023 CET	3778	49705	154.213.192.42	192.168.2.5
Jan 10, 2025 17:31:41.793317080 CET	49705	3778	192.168.2.5	154.213.192.42

Target ID:	0
Start time:	11:31:27
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\cbot.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\cbot.exe"
Imagebase:	0x7ff6df560000
File size:	154'772 bytes
MD5 hash:	800DCB9F93715F5ED7189BE2E35AEBD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:31:39
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
Imagebase:	0x7ff77cfc0000
File size:	154'772 bytes
MD5 hash:	800DCB9F93715F5ED7189BE2E35AEBD9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	489
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF6DF563D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DF564146: CopyFileA.KERNEL32 ref: 00007FF6DF564212

Part of subcall function 00007FF6DF563A84: CreateThread.KERNELBASE ref: 00007FF6DF563ABB

Part of subcall function 00007FF6DF563AE6: socket.WS2_32 ref: 00007FF6DF563B36

send.WS2_32 ref: 00007FF6DF563E25
send.WS2_32 ref: 00007FF6DF563E73
memset.MSVCRT ref: 00007FF6DF563EB0
recv.WS2_32 ref: 00007FF6DF563ED3
perror.MSVCRT ref: 00007FF6DF563EEB

Strings

win_x86_x64, xrefs: 00007FF6DF563E27
recv failed, xrefs: 00007FF6DF563EE4
154.213.192.42, xrefs: 00007FF6DF563D94
Connection failed. Retrying..., xrefs: 00007FF6DF563DCC
Connected to C&C server, xrefs: 00007FF6DF563DEB
Received %d bytes: , xrefs: 00007FF6DF563F06
%02x , xrefs: 00007FF6DF563F30
Disconnected from server. Retrying in 500ms..., xrefs: 00007FF6DF563F85

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: send$CopyCreateFileThreadmemsetperrorrecvsocket
String ID: %02x $154.213.192.42$Connected to C&C server$Connection failed. Retrying...$Disconnected from server. Retrying in 500ms...$Received %d bytes: $recv failed$win_x86_x64
API String ID: 1215720109-3681654477
Opcode ID: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction ID: d8831f1cfeeb84a86939d99c7f5c667e1461eeca52a0151f3b82b63102b29342
Opcode Fuzzy Hash: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction Fuzzy Hash: E5514F21B0868A8DFB21DB65E8947ED2770AB64788F00003BE91DDBBA5DE3DD655C780

Function 00007FF6DF561190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6DF5611F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6DF561268
malloc.MSVCRT ref: 00007FF6DF561332
strlen.MSVCRT ref: 00007FF6DF561355
malloc.MSVCRT ref: 00007FF6DF561361
memcpy.MSVCRT ref: 00007FF6DF561375
GetStartupInfoA.KERNEL32 ref: 00007FF6DF561473

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction ID: 936d0e8d7fcd056dab540c568c80831a2a7d6068e58dc4fd1ea298a003fe8b67
Opcode Fuzzy Hash: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction Fuzzy Hash: 84816731E0864E95FB60AF16E45077D37A0AF65B85F888137EA2CC7391DE2DF8608380

Function 00007FF6DF5633E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 00007FF6DF563521

Strings

CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF6DF56343F

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: Sleep
String ID: CreateToolhelp32Snapshot failed. Error: %lu
API String ID: 3472027048-731459797
Opcode ID: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction ID: 9b95cffed98ab56eb37d126a6c55b04a2cfe98b05b19bf860e0ac12ea2f8620a
Opcode Fuzzy Hash: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction Fuzzy Hash: 25315231A08B8E99EB309B64D8443FC2360FB24358F504137E92DDB7A5DE2DE5A48390

Function 00007FF6DF5643B9 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DF5640F0: _mbscpy.MSVCRT ref: 00007FF6DF564128

MoveFileA.KERNEL32 ref: 00007FF6DF564503

Strings

File renamed successfully to: %s, xrefs: 00007FF6DF564513
File does not exist in Startup to rename., xrefs: 00007FF6DF56453A
%s\%s, xrefs: 00007FF6DF564440, 00007FF6DF564488
Old file with the same name deleted successfully., xrefs: 00007FF6DF5644C6
svchost.exe, xrefs: 00007FF6DF564479
Error while deleting old file: %d, xrefs: 00007FF6DF5644DF
Error while renaming file: %d, xrefs: 00007FF6DF56452C
Error: Could not get Startup folder path., xrefs: 00007FF6DF564548

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: FileMove_mbscpy
String ID: %s\%s$Error while deleting old file: %d$Error while renaming file: %d$Error: Could not get Startup folder path.$File does not exist in Startup to rename.$File renamed successfully to: %s$Old file with the same name deleted successfully.$svchost.exe
API String ID: 2828783803-2379623443
Opcode ID: f5b3094a7a351dbbf5c37f2e529bab28ea883e64a2467667b18b94c603bc05a4
Instruction ID: 8e618d38a98fd1a14cde85e0d40ba0345be7d55e6576ce1ec10b4e8e562687e8
Opcode Fuzzy Hash: f5b3094a7a351dbbf5c37f2e529bab28ea883e64a2467667b18b94c603bc05a4
Instruction Fuzzy Hash: 5141E021B09A8B98EB20DB61EC553FD2364AF65744F404037E92DCBBA5EE2CD725C390

Function 00007FF6DF564146 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6DF5640F0: _mbscpy.MSVCRT ref: 00007FF6DF564128

CopyFileA.KERNEL32 ref: 00007FF6DF564212

Part of subcall function 00007FF6DF5643B9: MoveFileA.KERNEL32 ref: 00007FF6DF564503

Strings

Error while copying file: %d, xrefs: 00007FF6DF564236
%s\%s, xrefs: 00007FF6DF5641CD
File already exists in Startup., xrefs: 00007FF6DF564244
Error: Could not get Startup folder path., xrefs: 00007FF6DF564252
File copied to Startup successfully., xrefs: 00007FF6DF564218

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: File$CopyMove_mbscpy
String ID: %s\%s$Error while copying file: %d$Error: Could not get Startup folder path.$File already exists in Startup.$File copied to Startup successfully.
API String ID: 655623600-1093518506
Opcode ID: 5afcab7db7bad85c666d1735b30a3c9bad96832981f7368ccec23b859591415e
Instruction ID: e793af1ccbfd9f9addd36923aa020e04d42a725ff794d39f3cc2c3f608e7b6d5
Opcode Fuzzy Hash: 5afcab7db7bad85c666d1735b30a3c9bad96832981f7368ccec23b859591415e
Instruction Fuzzy Hash: F0214421B08A8A94FB20EB61EC543FD1351AF64748F904033E92DCBBA5EE2DD725C380

Function 00007FF6DF563AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF6DF563B36
ioctlsocket.WS2_32 ref: 00007FF6DF563B8B
connect.WS2_32 ref: 00007FF6DF563BAE

Strings

Socket creation failed, xrefs: 00007FF6DF563B52

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: connectioctlsocketsocket
String ID: Socket creation failed
API String ID: 3033478179-2728381879
Opcode ID: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction ID: 78ea8a17a885de31f057767fed3c8b3831e9cab803e373f97ffa7891df7246e8
Opcode Fuzzy Hash: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction Fuzzy Hash: 7361EF72B04A8A8EE7748F69DC443DC33A1E758798F108137DA2D9BBA9DF38D5508740

Function 00007FF6DF563A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF6DF563ABB

Strings

Failed to create thread. Error: %lu, xrefs: 00007FF6DF563AD3

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: CreateThread
String ID: Failed to create thread. Error: %lu
API String ID: 2422867632-1876256139
Opcode ID: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction ID: b41b220e17f1bfaa9de2d8c00f48333b1cb812191b068a520116a03877656557
Opcode Fuzzy Hash: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction Fuzzy Hash: 78F06531F0460999F310A761E8553AE27A0E760788F148137D95D9B7A4DE3DD9A18780

Non-executed Functions

Function 00007FF6DF562666 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF6DF5626A8
memset.MSVCRT ref: 00007FF6DF5626D1
free.MSVCRT ref: 00007FF6DF56272E

Strings

c, xrefs: 00007FF6DF56279D
SAMPgy_, xrefs: 00007FF6DF562789

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: free$memset
String ID: SAMPgy_$c
API String ID: 2717317152-1181286492
Opcode ID: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction ID: 7113aa0ecfda3cf3f7a0efd648c379f0a44bc9b7bde7235a9477043e4dc01534
Opcode Fuzzy Hash: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction Fuzzy Hash: 72515E26F147198CFB40DBB6E8403AC37B0AB58B98F10453AEE6D97BA9DF39C5108750

Function 00007FF6DF567DF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 1312COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6DF569208
Infinity, xrefs: 00007FF6DF568106
NaN, xrefs: 00007FF6DF56807B
, xrefs: 00007FF6DF569462

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: fa0095dd0704e67f1fdba37e40ff34f5250a2dc34ff6449e999dcc29cf86c872
Instruction ID: d65561383a84511fb7ab3a0c092537ca9399efda6bb7bfd7034dbb90bcd068ea
Opcode Fuzzy Hash: fa0095dd0704e67f1fdba37e40ff34f5250a2dc34ff6449e999dcc29cf86c872
Instruction Fuzzy Hash: 5DC2E972A1C6468AE7618F25E04076E77A0FFA5785F008136FA6A97B85DF3DE450CF80

Function 00007FF6DF56241D Relevance: 6.4, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6DF56245F
memset.MSVCRT ref: 00007FF6DF562488
free.MSVCRT ref: 00007FF6DF5624E5

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction ID: 3a53f3b8ca40a543a51fde041611233da3a33d29a895ebf8f12f05840001bb1c
Opcode Fuzzy Hash: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction Fuzzy Hash: 3B513A76F15B188CEB50DBA6E8403AC33B0BB58B98F00413ADE5DA7BA8DF38D5508740

Function 00007FF6DF56AA8A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92a76f01a41839edb0db2aacd7120ad0be31812e7200489862737987be0680a
Instruction ID: 642c589a1c98018b1f4a57fe4287a9c1be7793384c00ae86aa01daa3788729e2
Opcode Fuzzy Hash: a92a76f01a41839edb0db2aacd7120ad0be31812e7200489862737987be0680a
Instruction Fuzzy Hash: 78B01233C28D1288D3056F00CC017A463BCE395290F01A431C08882592CE7CD122C514

Function 00007FF6DF563660 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF6DF5637A2
atoi.MSVCRT ref: 00007FF6DF5637AE

Strings

Packet size set to: %d bytes, xrefs: 00007FF6DF5637BB
Port set to: %d, xrefs: 00007FF6DF563816
Unknown command, xrefs: 00007FF6DF563A6C
Threads set to: %d, xrefs: 00007FF6DF563888
%d.%d.%d.%d, xrefs: 00007FF6DF5636F0

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: atoimemcpy
String ID: %d.%d.%d.%d$Packet size set to: %d bytes$Port set to: %d$Threads set to: %d$Unknown command
API String ID: 126230704-3691821516
Opcode ID: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction ID: 4634c72a4c4a74db1daa9f4c60b738c0ae6c0f182509e4333a83978bf41c93c5
Opcode Fuzzy Hash: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction Fuzzy Hash: 1F814FB2F052449EEB00CBB9C4442EC3BB0AB5534CF404436EA6C97B9ADE3DD655CB90

Function 00007FF6DF5648B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF6DF5649C9

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF6DF564AC2
Mingw-w64 runtime failure:, xrefs: 00007FF6DF5648E8
Address %p has no image-section, xrefs: 00007FF6DF564920, 00007FF6DF564B30
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF6DF564B1C

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction ID: a963f800e2b0002c258d33163a63fc861a00b36000535fcd8d16069d911b4257
Opcode Fuzzy Hash: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction Fuzzy Hash: 6971D172B04A4A96EB109B11E84426D73A1FB697A4F548236FE6C87790DF3CE562C340

Function 00007FF6DF561CA4 Relevance: 8.9, APIs: 7, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF6DF561CE3
malloc.MSVCRT ref: 00007FF6DF561CFE
free.MSVCRT ref: 00007FF6DF561D25

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction ID: bb5ae51cb82f7e386377cc16dbaa8f5719885a71e3014a7402e63bd57712f1b1
Opcode Fuzzy Hash: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction Fuzzy Hash: 66618071F14B099DFB04CBAAD8413AC27B1AB58B98F10813ADE2D97BA8DE3DD5508750

Function 00007FF6DF562842 Relevance: 8.9, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF6DF562881
malloc.MSVCRT ref: 00007FF6DF56289C
free.MSVCRT ref: 00007FF6DF5628C3

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction ID: 496aa2544a72eaf68055a7aa56fcb84b3e19e426137e3f5bb9bc5e0dad960ae6
Opcode Fuzzy Hash: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction Fuzzy Hash: 67518072F15B1989EF04DBA5D8403AC33B1BB98B88F00453AEE6D97BA9DE3CD5508750

Function 00007FF6DF563261 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF6DF563395

Strings

Failed to open process: %s (PID: %u), xrefs: 00007FF6DF56337B
CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF6DF5632A3
Terminated process: %s (PID: %u), xrefs: 00007FF6DF56335C

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: NextProcess32
String ID: CreateToolhelp32Snapshot failed. Error: %lu$Failed to open process: %s (PID: %u)$Terminated process: %s (PID: %u)
API String ID: 1850201408-153003829
Opcode ID: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction ID: 51126930f69c869aa597f769208d60775072fd5b6e059807ed3d48d8d21e5755
Opcode Fuzzy Hash: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction Fuzzy Hash: 63314331F0478A89EB60DBA5E8443ED33A1FB64758F004137D92D9BBA9DE38E565C380

Function 00007FF6DF569620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000000,Infinity,00007FF6DF56975F,?,?,?,?,00000000,Infinity,00007FF6DF567C04,?,00000000,00000003,00007FF6DF568118), ref: 00007FF6DF56964D
RtlInitializeCriticalSection.NTDLL ref: 00007FF6DF56968D
RtlInitializeCriticalSection.NTDLL ref: 00007FF6DF569696

Strings

Infinity, xrefs: 00007FF6DF569620

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: CriticalInitializeSection$Sleep
String ID: Infinity
API String ID: 1960909292-1015270809
Opcode ID: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction ID: 02cd2b3f148d0d2a0879fa82887c7f60d0fa18385f7811eedaaffa19b6f792a4
Opcode Fuzzy Hash: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction Fuzzy Hash: 31115E31D2C60F86FA158B14E8911BC6395FF76708F688633E81EC62A0DF2CE865C781

Function 00007FF6DF5622C9 Relevance: 6.3, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6DF562308
memset.MSVCRT ref: 00007FF6DF562329
rand.MSVCRT ref: 00007FF6DF562363
memset.MSVCRT ref: 00007FF6DF562393
free.MSVCRT ref: 00007FF6DF56240D

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: freememset$rand
String ID:
API String ID: 2025389305-0
Opcode ID: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction ID: 9e367045ae70dec45dded838ebe7bfa208b6fd9b2dc728bea16fbb37a01ba907
Opcode Fuzzy Hash: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction Fuzzy Hash: 94314D21F15B1989EB00DBA6D8403AC33B0AB587A8F004636EE7D9BBE5DF3DD5108740

Function 00007FF6DF56A3A0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF6DF56A3FA
MultiByteToWideChar.KERNEL32 ref: 00007FF6DF56A43A

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction ID: 0a4d6ad39485022412ef0ceae19a02224bd5df3a7df3c69078607f76caf1474b
Opcode Fuzzy Hash: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction Fuzzy Hash: 7531B672A0C68586E3718B25F80436D7790BBA1795F548236FAA8CBBD4DF3ED494CB40

Function 00007FF6DF564B40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF6DF564E18
Unknown pseudo relocation bit size %d., xrefs: 00007FF6DF564E04

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction ID: 48151fbaea281e6f93d4bb951c6e4c7fff49a0aad073bff4bd350374778beff2
Opcode Fuzzy Hash: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction Fuzzy Hash: 1C711762F1468986FB109B21E8007BD63A1BF25B94F548233EE2C97794DF3CE661C780

Function 00007FF6DF569750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6DF569620: Sleep.KERNEL32(?,?,00000000,Infinity,00007FF6DF56975F,?,?,?,?,00000000,Infinity,00007FF6DF567C04,?,00000000,00000003,00007FF6DF568118), ref: 00007FF6DF56964D

malloc.MSVCRT ref: 00007FF6DF569787
RtlLeaveCriticalSection.NTDLL ref: 00007FF6DF5697DF

Strings

Infinity, xrefs: 00007FF6DF569750

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID: Infinity
API String ID: 1993596536-1015270809
Opcode ID: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction ID: 2f5f538498118c542413945d798c2e90f67728f886411805b5a84357cac97174
Opcode Fuzzy Hash: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction Fuzzy Hash: CE217172F1860E82EE148F04E4503BD6795BF66798F498237D92D877A0DF3CA564C780

Function 00007FF6DF5647A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6DF564820

Strings

Unknown error, xrefs: 00007FF6DF56488C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6DF564807

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction ID: 8c84b6fb05e5ff9a296bf1887c5b2c7ce6bc99d1a9327389863cdbcd4d6e9367
Opcode Fuzzy Hash: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction Fuzzy Hash: 35015E62D1CF88C2D6419F18D8001BE7331FB6E789F25A326FA8C66555DF29E6A2C740

Function 00007FF6DF564880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6DF564820

Strings

Total loss of significance (TLOSS), xrefs: 00007FF6DF564880
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6DF564807

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction ID: 51b97b02214d3a5377f449b439b3d3bd98f0c135862b179eb7dcef11e4b49e51
Opcode Fuzzy Hash: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction Fuzzy Hash: 59F06212D58E8882D2029F1CA4001AF7330FF5E799F145327EE8D6A515DF29E592C740

Function 00007FF6DF564860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6DF564820

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF6DF564860
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6DF564807

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction ID: 8de21002ad12dc4c4959c66f0dd90364df6c2d9f023f2854bd3d682721c6b52e
Opcode Fuzzy Hash: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction Fuzzy Hash: 51F06212D18E8882D2029F1CA4001AF7330FF5E799F145326FE8D6A555DF29E592C740

Function 00007FF6DF564870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6DF564820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6DF564807
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF6DF564870

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction ID: d3d4e36aa703056ee28b0b640c3d009d41bd4aa4888adc7198f79beda205bfea
Opcode Fuzzy Hash: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction Fuzzy Hash: DEF06252D18E8882D2029F1CA4001AF7330FF5E799F145326FF8D6A555DF29E592C740

Function 00007FF6DF564840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6DF564820

Strings

Argument domain error (DOMAIN), xrefs: 00007FF6DF564840
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6DF564807

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction ID: 1f8edeaa2ee8123e774c0baa5710862c40025091d093194ef918554ab09511ab
Opcode Fuzzy Hash: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction Fuzzy Hash: 83F06212D18E8882D2029F1CA4001BF7330FF5E799F245726FE8D6A555DF29E592C740

Function 00007FF6DF564850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6DF564820

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF6DF564850
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6DF564807

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction ID: b0dd125879b89d6bcadb13c826c92c9c305eaa47473b51503fcfdeb6234b440a
Opcode Fuzzy Hash: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction Fuzzy Hash: 91F06252D18E8882D2029F1CA4001AF7330FF5E799F145327FE8D6A555DF29E592C740

Function 00007FF6DF5647D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6DF564820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6DF564807
Argument singularity (SIGN), xrefs: 00007FF6DF5647D8

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction ID: 384477eb99f9ed0f1a583b146a0bd08b9e78e2b11a15b09c10450709e6104ced
Opcode Fuzzy Hash: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction Fuzzy Hash: 85F03012D58E8882D202DF1CE4001AB7370FF5E799F155726EF8D6A516DF29E592C740

Function 00007FF6DF5615C0 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6DF5615FF
memset.MSVCRT ref: 00007FF6DF561620
memset.MSVCRT ref: 00007FF6DF56168F
free.MSVCRT ref: 00007FF6DF56176E

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction ID: c3ff24330ddef084e65ae1ceb8029c6cefc7c227231f0979ba856cb5c648c6a9
Opcode Fuzzy Hash: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction Fuzzy Hash: 36415F25F15B199CEB00DBA6D8503AD23B1AB58BA8F004636DD3D97BF9DE3DD6108740

Function 00007FF6DF56214D Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6DF5621A6
memset.MSVCRT ref: 00007FF6DF5621CA
memset.MSVCRT ref: 00007FF6DF562225
free.MSVCRT ref: 00007FF6DF5622B6

Memory Dump Source

Source File: 00000000.00000002.4535174048.00007FF6DF561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF6DF560000, based on PE: true

Associated: 00000000.00000002.4535142128.00007FF6DF560000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF571000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535174048.00007FF6DF575000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535398610.00007FF6DF5DF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535438936.00007FF6DF5E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4535475088.00007FF6DF5E1000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6df560000_cbot.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction ID: 568ed0e18c850455a0a8863c9e6e760dfd28b9e9f754dffbb98b2f75671d6deb
Opcode Fuzzy Hash: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction Fuzzy Hash: 59316F25B14BC98AEB759F65E8403ED3364E758B98F004136EA5D8BBA9DF7DD3108340

Analysis Process: svchost.exePID: 1084, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	505
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF77CFC1190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF77CFC11F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77CFC1268
malloc.MSVCRT ref: 00007FF77CFC1332
strlen.MSVCRT ref: 00007FF77CFC1355
malloc.MSVCRT ref: 00007FF77CFC1361
memcpy.MSVCRT ref: 00007FF77CFC1375
GetStartupInfoA.KERNEL32 ref: 00007FF77CFC1473

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction ID: 1d7e6af899d683559220ddbe948a2995e16becc90be0745aac27dfd2b93b30ba
Opcode Fuzzy Hash: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction Fuzzy Hash: 53815737B39B8682EB70BF15A4503B9A7A0AF4D780FC48835CE1D43395DE2DE8618320

Function 00007FF77CFC3D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77CFC3A84: CreateThread.KERNELBASE ref: 00007FF77CFC3ABB

Part of subcall function 00007FF77CFC3AE6: socket.WS2_32 ref: 00007FF77CFC3B36

send.WS2_32 ref: 00007FF77CFC3E25
send.WS2_32 ref: 00007FF77CFC3E73
memset.MSVCRT ref: 00007FF77CFC3EB0
recv.WS2_32 ref: 00007FF77CFC3ED3
perror.MSVCRT ref: 00007FF77CFC3EEB

Strings

Received %d bytes: , xrefs: 00007FF77CFC3F06
Connection failed. Retrying..., xrefs: 00007FF77CFC3DCC
Connected to C&C server, xrefs: 00007FF77CFC3DEB
%02x , xrefs: 00007FF77CFC3F30
Disconnected from server. Retrying in 500ms..., xrefs: 00007FF77CFC3F85
win_x86_x64, xrefs: 00007FF77CFC3E27
recv failed, xrefs: 00007FF77CFC3EE4
154.213.192.42, xrefs: 00007FF77CFC3D94

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: send$CreateThreadmemsetperrorrecvsocket
String ID: %02x $154.213.192.42$Connected to C&C server$Connection failed. Retrying...$Disconnected from server. Retrying in 500ms...$Received %d bytes: $recv failed$win_x86_x64
API String ID: 1679048947-3681654477
Opcode ID: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction ID: 768e1dd34ef6baf51f32195bafa16e621ee8a8488d6f42e708e0c8a6a2f4ab9e
Opcode Fuzzy Hash: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction Fuzzy Hash: 2A513E23B387C68DF731EB65E8507ED6760AB48788F90143AD90D5B7A9DE2DE609C310

Function 00007FF77CFC33E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 00007FF77CFC3521

Strings

CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF77CFC343F

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: Sleep
String ID: CreateToolhelp32Snapshot failed. Error: %lu
API String ID: 3472027048-731459797
Opcode ID: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction ID: 6a9cdce7a8762dd9edcdca3ab7008a18d558758ac4f33168322a7064e3b25aed
Opcode Fuzzy Hash: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction Fuzzy Hash: CF315623B387CA89EB30AB64D8443F86360FB1C398F904936C91D5B799DE2DE5498330

Function 00007FF77CFC3AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF77CFC3B36
ioctlsocket.WS2_32 ref: 00007FF77CFC3B8B
connect.WS2_32 ref: 00007FF77CFC3BAE

Strings

Socket creation failed, xrefs: 00007FF77CFC3B52

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: connectioctlsocketsocket
String ID: Socket creation failed
API String ID: 3033478179-2728381879
Opcode ID: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction ID: 639e32eff000a8e64587e43fc5ab83f31e1a537a63ebe65de0d4d0fc1f7f1cff
Opcode Fuzzy Hash: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction Fuzzy Hash: 58611B73724BC68EDB749F69D8843EC73A1E748798F508536DA1D9BBA8DF3896008700

Function 00007FF77CFC3A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF77CFC3ABB

Strings

Failed to create thread. Error: %lu, xrefs: 00007FF77CFC3AD3

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: CreateThread
String ID: Failed to create thread. Error: %lu
API String ID: 2422867632-1876256139
Opcode ID: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction ID: 9c5d5f05f75b8982d970a7265ab5f49a3d0dab6551f20edbaf2cc469fcd475a8
Opcode Fuzzy Hash: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction Fuzzy Hash: 45F0E533F34B4185F320BB20E8113FA6760E748788F548434C50D0B7A4CE3CE9568750

Non-executed Functions

Function 00007FF77CFC2666 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF77CFC26A8
memset.MSVCRT ref: 00007FF77CFC26D1
free.MSVCRT ref: 00007FF77CFC272E

Strings

SAMPgy_, xrefs: 00007FF77CFC2789
c, xrefs: 00007FF77CFC279D

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: free$memset
String ID: SAMPgy_$c
API String ID: 2717317152-1181286492
Opcode ID: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction ID: d41ed46d99e5e3f28ce838118251c1d6cd10b1221bc31f42e47a5487f8fa987a
Opcode Fuzzy Hash: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction Fuzzy Hash: 1D513A27B24B548DFB50EBB6E8503AC23B0AB48798F504939DE5D97BA9DF3CD5018720

Function 00007FF77CFC241D Relevance: 6.4, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF77CFC245F
memset.MSVCRT ref: 00007FF77CFC2488
free.MSVCRT ref: 00007FF77CFC24E5

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction ID: fd989e2e0a26fa05b074c344be945488d2620542ca62da45f29c0ed166a74c3d
Opcode Fuzzy Hash: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction Fuzzy Hash: 0D515A67B20B548CEB50EBB6E8503AC23B0FB48B98F504535DE5DA7BA9DF38D5508720

Function 00007FF77CFC3660 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF77CFC37A2
atoi.MSVCRT ref: 00007FF77CFC37AE

Strings

Packet size set to: %d bytes, xrefs: 00007FF77CFC37BB
Unknown command, xrefs: 00007FF77CFC3A6C
Threads set to: %d, xrefs: 00007FF77CFC3888
%d.%d.%d.%d, xrefs: 00007FF77CFC36F0
Port set to: %d, xrefs: 00007FF77CFC3816

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: atoimemcpy
String ID: %d.%d.%d.%d$Packet size set to: %d bytes$Port set to: %d$Threads set to: %d$Unknown command
API String ID: 126230704-3691821516
Opcode ID: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction ID: 387aa30fb28e3e51bdb0f59caa373c6a3a4735f9694838cd1ae87cf8144ac46d
Opcode Fuzzy Hash: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction Fuzzy Hash: 26814073F247918EEB10DFB5C4402EC7BB0AB49388F904826DA5C57B99DA3CD615CB50

Function 00007FF77CFC48B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF77CFC49C9

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF77CFC48E8
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF77CFC4B1C
Address %p has no image-section, xrefs: 00007FF77CFC4920, 00007FF77CFC4B30
VirtualProtect failed with code 0x%x, xrefs: 00007FF77CFC4AC2

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction ID: dae6060f8e301852c1c05bc0038825ddcc7bd555302b7842fbda7062e7f41db2
Opcode Fuzzy Hash: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction Fuzzy Hash: 2671BF33B35B8286EB20AF51E844279B7A1EB497A4F944635EE5D13394DE3CE452C324

Function 00007FF77CFC1CA4 Relevance: 8.9, APIs: 7, Instructions: 154COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF77CFC1CE3
malloc.MSVCRT ref: 00007FF77CFC1CFE
free.MSVCRT ref: 00007FF77CFC1D25

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction ID: 8edb3190aadc6b33a61fb503cd4e85abb755e8f77ace74923a42cc2195095a36
Opcode Fuzzy Hash: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction Fuzzy Hash: 32618123F34B4589EB14EBA6D8503AC67B1AB4CB98F508539CE1D97BA9DE3CD5508320

Function 00007FF77CFC2842 Relevance: 8.9, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF77CFC2881
malloc.MSVCRT ref: 00007FF77CFC289C
free.MSVCRT ref: 00007FF77CFC28C3

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction ID: 0a87c7d1d530fecb0606b957874a23dfa061c728ec6c013993c8b6140a6dea4e
Opcode Fuzzy Hash: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction Fuzzy Hash: 6C519D63F25B5589EB14EBA5D8503AC63B1FB4CB98F504939DE1D97BA9DE3CD4008320

Function 00007FF77CFC3261 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF77CFC3395

Strings

CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF77CFC32A3
Terminated process: %s (PID: %u), xrefs: 00007FF77CFC335C
Failed to open process: %s (PID: %u), xrefs: 00007FF77CFC337B

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: NextProcess32
String ID: CreateToolhelp32Snapshot failed. Error: %lu$Failed to open process: %s (PID: %u)$Terminated process: %s (PID: %u)
API String ID: 1850201408-153003829
Opcode ID: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction ID: 5b03e42526fa1e084296836516a6f301fb531afc763ef4e89b1df8b5c16ad7cd
Opcode Fuzzy Hash: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction Fuzzy Hash: B1318823B34BC549EB30EBA5D8543ED6361FB4C798F904536C91C4BB99DE28E549C360

Function 00007FF77CFC9620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000000,Infinity,00007FF77CFC975F,?,?,?,?,00000000,Infinity,00007FF77CFC7C04,?,00000000,00000003,00007FF77CFC8118), ref: 00007FF77CFC964D
RtlInitializeCriticalSection.NTDLL ref: 00007FF77CFC968D
RtlInitializeCriticalSection.NTDLL ref: 00007FF77CFC9696

Strings

Infinity, xrefs: 00007FF77CFC9620

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: CriticalInitializeSection$Sleep
String ID: Infinity
API String ID: 1960909292-1015270809
Opcode ID: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction ID: 3994d5d30b1060dc81b174f24f2860b7c587463a5a4690d675662ea43e9c7c8e
Opcode Fuzzy Hash: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction Fuzzy Hash: 7F110D33E3868685EB25BB14F8A55B8A261FF4C714FE44931C80D862A4EF2DE956D720

Function 00007FF77CFC22C9 Relevance: 6.3, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF77CFC2308
memset.MSVCRT ref: 00007FF77CFC2329
rand.MSVCRT ref: 00007FF77CFC2363
memset.MSVCRT ref: 00007FF77CFC2393
free.MSVCRT ref: 00007FF77CFC240D

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: freememset$rand
String ID:
API String ID: 2025389305-0
Opcode ID: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction ID: fe6ad44f5c221d09e5704d64f509a668a2b73294c3a74c51f4020f677df445ac
Opcode Fuzzy Hash: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction Fuzzy Hash: 5E313D23B35B5589EB10EBA5D8543AC63A0EB487A8F504A35DD6D97BE9DF3CD5008320

Function 00007FF77CFCA3A0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF77CFCA3FA
MultiByteToWideChar.KERNEL32 ref: 00007FF77CFCA43A

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction ID: 538f477bd8547dde9e8802f9770b12e362db92c6c95e2386de092cda6fd279c3
Opcode Fuzzy Hash: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction Fuzzy Hash: FE31B773B2D7C186E3705B24F404369A690BB98794F948A35DA98877E8DE3DE485CB10

Function 00007FF77CFC4B40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF77CFC4E18
Unknown pseudo relocation bit size %d., xrefs: 00007FF77CFC4E04

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction ID: 1de371a5270a568706f85c5644c24f38d9ed153e536305abb2e8761d51d98cf4
Opcode Fuzzy Hash: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction Fuzzy Hash: 0671B423F347D586EB30BB21E4007B9ABA2BB58B94F958930DE1C17794DE3DE441C620

Function 00007FF77CFC9750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77CFC9620: Sleep.KERNEL32(?,?,00000000,Infinity,00007FF77CFC975F,?,?,?,?,00000000,Infinity,00007FF77CFC7C04,?,00000000,00000003,00007FF77CFC8118), ref: 00007FF77CFC964D

malloc.MSVCRT ref: 00007FF77CFC9787
RtlLeaveCriticalSection.NTDLL ref: 00007FF77CFC97DF

Strings

Infinity, xrefs: 00007FF77CFC9750

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID: Infinity
API String ID: 1993596536-1015270809
Opcode ID: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction ID: 8114b26f264c7838b8f6737b3a8d2a935ea4006c4d1b0433d3ee793c23e00f44
Opcode Fuzzy Hash: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction Fuzzy Hash: 7C216B73F3978682EF24AB04E4503B9A391AF48784F858639C91D073A4EF3DA665C350

Function 00007FF77CFC47A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF77CFC4820

Strings

Unknown error, xrefs: 00007FF77CFC488C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF77CFC4807

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction ID: af98c07a5e445049c6748e19561df53899aa1472d29591555a3fe983a7751f7a
Opcode Fuzzy Hash: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction Fuzzy Hash: 94017C63E28FC482D711AF1898001BAB331FF5E789F65AB25EA8C26555DF29E592C700

Function 00007FF77CFC4840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF77CFC4820

Strings

Argument domain error (DOMAIN), xrefs: 00007FF77CFC4840
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF77CFC4807

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction ID: cb58b47371eceac29d2dc67c87c4ad2bde34164ea37ee2a0f709a06da0786628
Opcode Fuzzy Hash: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction Fuzzy Hash: 6EF04F13D28F8482D312AF18A4001BAB330FF4E798F646B25EA8D26555DF28E5829710

Function 00007FF77CFC4850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF77CFC4820

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF77CFC4850
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF77CFC4807

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction ID: 05f7827c934e987bb9d7e3a7a2ca68897a17a35c3ba36640e3965ee61ba545ad
Opcode Fuzzy Hash: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction Fuzzy Hash: 88F04F53D28FC482D312AF18A4001AAB330FF4E798F646B26EA8D26555DF28E5829710

Function 00007FF77CFC4860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF77CFC4820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF77CFC4807
Overflow range error (OVERFLOW), xrefs: 00007FF77CFC4860

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction ID: a9973f5484547c71d937e05970337b29304e00b3e7846614a95bdf573d3cf0bb
Opcode Fuzzy Hash: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction Fuzzy Hash: 5BF04F13D28F8482D312AF18A4001AAB330FF4E798F646B25EA8D26555DF29E5829710

Function 00007FF77CFC4870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF77CFC4820

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF77CFC4870
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF77CFC4807

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction ID: e6b6bf74340c0dd950f40723646ff31da8ec36bcc0fea3842508f58867b6ea64
Opcode Fuzzy Hash: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction Fuzzy Hash: 07F04F13D28F8482D312AF18A4001AAB330FF4E798F645B25EB8D26555DF28E5929710

Function 00007FF77CFC4880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF77CFC4820

Strings

Total loss of significance (TLOSS), xrefs: 00007FF77CFC4880
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF77CFC4807

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction ID: b62011c949c4255cf50ee968f47cf7fe703b33f40f4eeb90de48ef283b70e12b
Opcode Fuzzy Hash: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction Fuzzy Hash: 70F04F17D68F8482D312AF18A4001AAB330FF4E798F646B25EA8D26555DF28E5829710

Function 00007FF77CFC47D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF77CFC4820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF77CFC4807
Argument singularity (SIGN), xrefs: 00007FF77CFC47D8

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction ID: 68b84f13ec67206118c8bbcea8b335b66ef6ace9a70951308fc14b7607700bd8
Opcode Fuzzy Hash: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction Fuzzy Hash: EBF06213D28F8482D3129F18A4000ABB330FF4E798F545B25EF8C26115DF28E5828710

Function 00007FF77CFC15C0 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF77CFC15FF
memset.MSVCRT ref: 00007FF77CFC1620
memset.MSVCRT ref: 00007FF77CFC168F
free.MSVCRT ref: 00007FF77CFC176E

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction ID: 7eee289acaad0ba2ef9469492f9b78fe8d4769efda038bca21ed91addf053428
Opcode Fuzzy Hash: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction Fuzzy Hash: A3413D23B35B5588EB10EBA6E8503AC6371AB48BA4F508A35CD2D577E9DF3DD6508320

Function 00007FF77CFC214D Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF77CFC21A6
memset.MSVCRT ref: 00007FF77CFC21CA
memset.MSVCRT ref: 00007FF77CFC2225
free.MSVCRT ref: 00007FF77CFC22B6

Memory Dump Source

Source File: 00000002.00000002.4535028097.00007FF77CFC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF77CFC0000, based on PE: true

Associated: 00000002.00000002.4534999603.00007FF77CFC0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535028097.00007FF77CFD5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535153913.00007FF77D03F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535175151.00007FF77D040000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.4535199466.00007FF77D041000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77cfc0000_svchost.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction ID: 17bfc46f87919d282204068d4946002d1b66bb56398d74d5013844812f172b83
Opcode Fuzzy Hash: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction Fuzzy Hash: 3F318D27724BC58AEB75AF65E8503E96368E748B98F804536DA1D4BBA9DF7CD3008310

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cbot.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cbot.exePID: 3356, Parent PID: 1028

General

Windows Analysis Report
cbot.exe

Function 00007FF6DF563D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Function 00007FF6DF561190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Function 00007FF6DF5633E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Function 00007FF6DF5643B9 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 91
fileCOMMON

Function 00007FF6DF564146 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 63
fileCOMMON

Function 00007FF6DF563AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Function 00007FF6DF563A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON

Function 00007FF6DF562666 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 114
COMMON

Function 00007FF6DF563660 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 171
COMMON

Function 00007FF6DF5648B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190
COMMON

Function 00007FF6DF561CA4 Relevance: 8.9, APIs: 7, Instructions: 154
COMMON

Function 00007FF6DF562842 Relevance: 8.9, APIs: 7, Instructions: 121
COMMON

Function 00007FF77CFC1190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Function 00007FF77CFC3D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Function 00007FF77CFC33E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Function 00007FF77CFC3AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Function 00007FF77CFC3A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON

Function 00007FF77CFC3660 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 171
COMMON