Edit tour

Windows Analysis Report
cbot.exe

Overview

General Information

Sample name:	cbot.exe
Analysis ID:	1587731
MD5:	800dcb9f93715f5ed7189be2e35aebd9
SHA1:	5d0a60c1e85bed844bb98a864c04d87e1b66c76d
SHA256:	cff151ab7a8c0d221278758e76f71fc6c120d22bc39bf98daabfe1f450642a6f
Tags:	DDoSexeuser-NDA0E
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cbot.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\cbot.exe" MD5: 800DCB9F93715F5ED7189BE2E35AEBD9)

svchost.exe (PID: 5056 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" MD5: 800DCB9F93715F5ED7189BE2E35AEBD9)

cleanup

Sigma Signatures

System Summary

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , ProcessId: 5056, ProcessName: svchost.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\cbot.exe, ProcessId: 1892, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe" , ProcessId: 5056, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	Virustotal: Detection: 23%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	Virustotal: Detection: 23%	Perma Link

Multi AV Scanner detection for submitted file

Source: cbot.exe	Virustotal: Detection: 23%			Perma Link
Source: cbot.exe	ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: cbot.exe

Joe Sandbox ML: detected

Source: cbot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Network Connect: 154.213.192.42 3778

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.8:49707 -> 154.213.192.42:3778

Source: global traffic

TCP traffic: 192.168.2.8:49229 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.213.192.42
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\cbot.exe

Code function: 0_2_00007FF630603D58 htons,inet_addr,Sleep,send,send,send,send,send,memset,recv,recv,perror,closesocket,Sleep,

0_2_00007FF630603D58

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF630607DF0		0_2_00007FF630607DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A07DF0		2_2_00007FF609A07DF0

Source: classification engine

Classification label: mal88.adwa.evad.winEXE@2/3@1/1

Source: C:\Users\user\Desktop\cbot.exe

Code function: 0_2_00007FF6306033E2 CreateToolhelp32Snapshot,GetLastError,Process32First,strcmp,Process32Next,CloseHandle,CloseHandle,Sleep,SleepEx,

0_2_00007FF6306033E2

Source: C:\Users\user\Desktop\cbot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cbot.exe	Virustotal: Detection: 23%
Source: cbot.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\cbot.exe

File read: C:\Users\user\Desktop\cbot.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cbot.exe "C:\Users\user\Desktop\cbot.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

Source: C:\Users\user\Desktop\cbot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: cbot.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: cbot.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: cbot.exe	Static PE information: section name: UPX2
Source: cbot.exe.0.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF63061139C push rbp; retf	0_2_00007FF630611387
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF63061139C push rbp; retf	0_2_00007FF6306113BF
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6306113A4 push rbp; retf	0_2_00007FF6306113BF
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF630611384 push rbp; retf	0_2_00007FF630611387
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6306113FC push rbp; retf	0_2_00007FF6306113FF
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF630611404 push rsi; retf	0_2_00007FF63061140F
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6306113DC push rbp; retf	0_2_00007FF6306113DF
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF630605040 push rbp; retf	0_2_00007FF6306113BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A05040 push rbp; retf	2_2_00007FF609A113BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A113DC push rbp; retf	2_2_00007FF609A113DF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A113FC push rbp; retf	2_2_00007FF609A113FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A11404 push rsi; retf	2_2_00007FF609A1140F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A1139C push rbp; retf	2_2_00007FF609A11387
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A1139C push rbp; retf	2_2_00007FF609A113BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A113A4 push rbp; retf	2_2_00007FF609A113BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A11384 push rbp; retf	2_2_00007FF609A11387

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe			Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe			Jump to dropped file

Source: C:\Users\user\Desktop\cbot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe			Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe\:Zone.Identifier:$DATA			Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cbot.exe, cbot.exe, 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: cbot.exe, cbot.exe, 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: X64DBG.EXE
Source: svchost.exe, 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: NLCLIENTAPP.EXEWIRESHARK.EXEDUMPCAP.EXEX64DBG.EXEX32DBG.EXEPROCESSHACKER.EXEBOT.EXEBOT.EXECREATETOOLHELP32SNAPSHOT FAILED. ERROR: %LU
Source: cbot.exe, cbot.exe, 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: DUMPCAP.EXE
Source: cbot.exe, cbot.exe, 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\cbot.exe TID: 5532	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cbot.exe TID: 5532	Thread sleep time: -176000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 5308	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe TID: 5308	Thread sleep time: -162000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\cbot.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Last function: Thread delayed

Source: cbot.exe, 00000000.00000002.3473420215.0000017D760F4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3473477702.00000279D9A13000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\cbot.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF630601190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,exit,	0_2_00007FF630601190
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF6306113DC SetUnhandledExceptionFilter,	0_2_00007FF6306113DC
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF63060AA8A SetUnhandledExceptionFilter,	0_2_00007FF63060AA8A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A01190 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,exit,	2_2_00007FF609A01190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A0AA8A SetUnhandledExceptionFilter,	2_2_00007FF609A0AA8A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A113DC SetUnhandledExceptionFilter,	2_2_00007FF609A113DC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Network Connect: 154.213.192.42 3778

Jump to behavior

Source: cbot.exe, cbot.exe, 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, svchost.exe, 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp

Binary or memory string: Wireshark.exe

Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF63060241D socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	0_2_00007FF63060241D
Source: C:\Users\user\Desktop\cbot.exe	Code function: 0_2_00007FF630602666 socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	0_2_00007FF630602666
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A02666 socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	2_2_00007FF609A02666
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	Code function: 2_2_00007FF609A0241D socket,free,memset,htons,bind,closesocket,free,memset,htons,inet_addr,sendto,closesocket,free,	2_2_00007FF609A0241D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
cbot.exe	24%	Virustotal	Browse
cbot.exe	21%	ReversingLabs
cbot.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	24%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	21%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	21%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)	24%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
18.31.95.13.in-addr.arpa	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.213.192.42	unknown	Seychelles		132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587731
Start date and time:	2025-01-10 17:38:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cbot.exe
Detection:	MAL
Classification:	mal88.adwa.evad.winEXE@2/3@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 12 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.95.31.18, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
17:40:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	154.213.39.66
	armv4l.elf	Get hash	malicious	Unknown	Browse	156.253.200.172
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	154.203.26.164
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	156.243.249.53
	sora.arm7.elf	Get hash	malicious	Unknown	Browse	154.216.35.228
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	gompsl.elf	Get hash	malicious	Mirai	Browse	156.251.7.182
	garm5.elf	Get hash	malicious	Mirai	Browse	156.242.206.46
	garm7.elf	Get hash	malicious	Mirai	Browse	156.242.206.54

Process:	C:\Users\user\Desktop\cbot.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	154772
Entropy (8bit):	7.054263895609286
Encrypted:	false
SSDEEP:	1536:/LtDu076JchveHZHAsFXGDDkDNsJQ337Tcxg3cXf3NsMpphw6p0HP94Y8udRivy:TtD9+dHNAe2v8Ns67wg3af9skh4eS/i6
MD5:	800DCB9F93715F5ED7189BE2E35AEBD9
SHA1:	5D0A60C1E85BED844BB98A864C04D87E1B66C76D
SHA-256:	CFF151AB7A8C0D221278758E76F71FC6C120D22BC39BF98DAABFE1F450642A6F
SHA-512:	F8BFBB0AF933AD0F4CF96B27811CBA1520AC436D3A511D26D1A005813B0B19FBC4B613BEBECB2F847A072CD59002F489F81AC98EE34DD84125706BBE6AC215F2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 21%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.B........&....&.........p.............@............................. ............`... .................................................P...............x...........P...................................(...................................................UPX0.....p..............................UPX1................................@...UPX2................................@...3.94.UPX!.$...5........{......I..R...a.z.....f.....kx...KQc...D....>o.\%Qx..?o!.>......A%..#:V.,Wb.;%.U}.....t^.\|..:.....r...e_H..g.....F.Ju.X......I.P%........pe..l....M.<.Gskoa.5&)7..A.1.w.'`.J..E.}..T!.RjH-/o...8A.....1...Y.wp%..S.x'...)k.... Kx.......uj.Dg.~...]7..%.)..7@O$...R....7..m..1..Z..G\j.>.;^.<..]t..h.F..=...oMv..u....\k............,..}."....8..F.....6..yRbT)....l?....(..[`.=B...!ADMo..5V.P....}l...%N.H..i.P_.l..'r....H&..kcO..g.4...Lx.o.8zJJ......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\cbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)

Download File

Process:	C:\Users\user\Desktop\cbot.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	154772
Entropy (8bit):	7.054263895609286
Encrypted:	false
SSDEEP:	1536:/LtDu076JchveHZHAsFXGDDkDNsJQ337Tcxg3cXf3NsMpphw6p0HP94Y8udRivy:TtD9+dHNAe2v8Ns67wg3af9skh4eS/i6
MD5:	800DCB9F93715F5ED7189BE2E35AEBD9
SHA1:	5D0A60C1E85BED844BB98A864C04D87E1B66C76D
SHA-256:	CFF151AB7A8C0D221278758E76F71FC6C120D22BC39BF98DAABFE1F450642A6F
SHA-512:	F8BFBB0AF933AD0F4CF96B27811CBA1520AC436D3A511D26D1A005813B0B19FBC4B613BEBECB2F847A072CD59002F489F81AC98EE34DD84125706BBE6AC215F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21% Antivirus: Virustotal, Detection: 24%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.B........&....&.........p.............@............................. ............`... .................................................P...............x...........P...................................(...................................................UPX0.....p..............................UPX1................................@...UPX2................................@...3.94.UPX!.$...5........{......I..R...a.z.....f.....kx...KQc...D....>o.\%Qx..?o!.>......A%..#:V.,Wb.;%.U}.....t^.\|..:.....r...e_H..g.....F.Ju.X......I.P%........pe..l....M.<.Gskoa.5&)7..A.1.w.'`.J..E.}..T!.RjH-/o...8A.....1...Y.wp%..S.x'...)k.... Kx.......uj.Dg.~...]7..%.)..7@O$...R....7..m..1..Z..G\j.>.;^.<..]t..h.F..=...oMv..u....\k............,..}."....8..F.....6..yRbT)....l?....(..[`.=B...!ADMo..5V.P....}l...%N.H..i.P_.l..'r....H&..kcO..g.4...Lx.o.8zJJ......

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.054263895609286
TrID:	Win64 Executable GUI (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	cbot.exe
File size:	154'772 bytes
MD5:	800dcb9f93715f5ed7189be2e35aebd9
SHA1:	5d0a60c1e85bed844bb98a864c04d87e1b66c76d
SHA256:	cff151ab7a8c0d221278758e76f71fc6c120d22bc39bf98daabfe1f450642a6f
SHA512:	f8bfbb0af933ad0f4cf96b27811cba1520ac436d3a511d26d1a005813b0b19fbc4b613bebecb2f847a072cd59002f489f81ac98ee34dd84125706bbe6ac215f2
SSDEEP:	1536:/LtDu076JchveHZHAsFXGDDkDNsJQ337Tcxg3cXf3NsMpphw6p0HP94Y8udRivy:TtD9+dHNAe2v8Ns67wg3af9skh4eS/i6
TLSH:	BAE34AE066E85D86FA24527D41C7D222273CFBE1C7434B07493476362E63BD27DC266A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.B........&....&.........p.............@............................. ............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14007fbd0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x677FF49E [Thu Jan 9 16:09:02 2025 UTC]
TLS Callbacks:	0x400807b4, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f09dfdec43a86f0214209d98673dd7a5

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFFE844Ah]
dec eax
lea edi, dword ptr [esi-00067025h]
push edi
mov eax, 0007D898h
push eax
dec eax
mov ecx, esp
dec eax
mov edx, edi
dec eax
mov edi, esi
mov esi, 00017BA9h
push ebp
dec eax
mov ebp, esp
inc esp
mov ecx, dword ptr [ecx]
dec ecx
mov eax, edx
dec eax
mov edx, esi
dec eax
lea esi, dword ptr [edi+02h]
push esi
mov al, byte ptr [edi]
dec edx
mov cl, al
and al, 07h
shr cl, 00000003h
dec eax
mov ebx, FFFFFD00h
dec eax
shl ebx, cl
mov cl, al
dec eax
lea ebx, dword ptr [esp+ebx*2-00000E78h]
dec eax
and ebx, FFFFFFC0h
push 00000000h
dec eax
cmp esp, ebx
jne 00007FE13CDEBEFBh
push ebx
dec eax
lea edi, dword ptr [ebx+08h]
mov cl, byte ptr [esi-01h]
dec edx
mov byte ptr [edi+02h], al
mov al, cl
shr cl, 00000004h
mov byte ptr [edi+01h], cl
and al, 0Fh
mov byte ptr [edi], al
dec eax
lea ecx, dword ptr [edi-04h]
push eax
inc ecx
push edi
dec eax
lea eax, dword ptr [edi+04h]
inc ebp
xor edi, edi
inc ecx
push esi
inc ecx
mov esi, 00000001h
inc ecx
push ebp
inc ebp
xor ebp, ebp
inc ecx
push esp
push ebp
push ebx
dec eax
mov dword ptr [esp-10h], ecx
dec eax
mov dword ptr [esp-28h], eax
mov eax, 00000001h
dec eax
mov dword ptr [esp-08h], esi
dec esp
mov dword ptr [esp-18h], eax
mov ebx, eax
inc esp
mov dword ptr [esp-1Ch], ecx
movzx ecx, byte ptr [edi+02h]
shl ebx, cl
mov ecx, ebx
dec eax
mov ebx, dword ptr [esp+38h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x81000	0x150	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x678	UPX0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81150	0x14	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x807e0	0x28	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x67000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x68000	0x19000	0x18a00	f41f1ea65f943a5bd10b513b61e18c03	False	0.9843849143401016	data	7.988732441146602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x81000	0x1000	0x200	7d6ce4d078252eaccdfee320f323b357	False	0.40234375	data	2.962088078182722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
msvcrt.dll	atoi
SHELL32.dll	SHGetSpecialFolderPathA
WS2_32.dll	bind

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:39:57.886636972 CET	49707	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:39:57.891462088 CET	3778	49707	154.213.192.42	192.168.2.8
Jan 10, 2025 17:39:57.891544104 CET	49707	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:39:57.892252922 CET	49707	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:39:57.897053003 CET	3778	49707	154.213.192.42	192.168.2.8
Jan 10, 2025 17:39:57.897123098 CET	49707	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:39:57.901992083 CET	3778	49707	154.213.192.42	192.168.2.8
Jan 10, 2025 17:39:58.520579100 CET	3778	49707	154.213.192.42	192.168.2.8
Jan 10, 2025 17:39:58.569575071 CET	49707	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:39:58.649470091 CET	3778	49707	154.213.192.42	192.168.2.8
Jan 10, 2025 17:39:58.694427967 CET	49707	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:40:09.770706892 CET	49708	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:40:09.775651932 CET	3778	49708	154.213.192.42	192.168.2.8
Jan 10, 2025 17:40:09.775795937 CET	49708	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:40:09.775795937 CET	49708	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:40:09.780649900 CET	3778	49708	154.213.192.42	192.168.2.8
Jan 10, 2025 17:40:09.780714035 CET	49708	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:40:09.785561085 CET	3778	49708	154.213.192.42	192.168.2.8
Jan 10, 2025 17:40:10.392095089 CET	3778	49708	154.213.192.42	192.168.2.8
Jan 10, 2025 17:40:10.444552898 CET	49708	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:40:10.521326065 CET	3778	49708	154.213.192.42	192.168.2.8
Jan 10, 2025 17:40:10.569400072 CET	49708	3778	192.168.2.8	154.213.192.42
Jan 10, 2025 17:40:30.078110933 CET	49229	53	192.168.2.8	162.159.36.2
Jan 10, 2025 17:40:30.083769083 CET	53	49229	162.159.36.2	192.168.2.8
Jan 10, 2025 17:40:30.083892107 CET	49229	53	192.168.2.8	162.159.36.2
Jan 10, 2025 17:40:30.089497089 CET	53	49229	162.159.36.2	192.168.2.8
Jan 10, 2025 17:40:30.548048019 CET	49229	53	192.168.2.8	162.159.36.2
Jan 10, 2025 17:40:30.553491116 CET	53	49229	162.159.36.2	192.168.2.8
Jan 10, 2025 17:40:30.553559065 CET	49229	53	192.168.2.8	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:40:30.077526093 CET	53	59086	162.159.36.2	192.168.2.8
Jan 10, 2025 17:40:30.561811924 CET	53508	53	192.168.2.8	1.1.1.1
Jan 10, 2025 17:40:30.570547104 CET	53	53508	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 17:40:30.561811924 CET	192.168.2.8	1.1.1.1	0x8d61	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 17:40:30.570547104 CET	1.1.1.1	192.168.2.8	0x8d61	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	11:39:56
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\cbot.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\cbot.exe"
Imagebase:	0x7ff630600000
File size:	154'772 bytes
MD5 hash:	800DCB9F93715F5ED7189BE2E35AEBD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:40:08
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
Imagebase:	0x7ff609a00000
File size:	154'772 bytes
MD5 hash:	800DCB9F93715F5ED7189BE2E35AEBD9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.4%
Total number of Nodes:	618
Total number of Limit Nodes:	7

Executed Functions

Function 00007FF630603D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630604146: CopyFileA.KERNEL32 ref: 00007FF630604212

Part of subcall function 00007FF630603A84: CreateThread.KERNELBASE ref: 00007FF630603ABB

Part of subcall function 00007FF630603AE6: socket.WS2_32 ref: 00007FF630603B36

send.WS2_32 ref: 00007FF630603E25
send.WS2_32 ref: 00007FF630603E73
memset.MSVCRT ref: 00007FF630603EB0
recv.WS2_32 ref: 00007FF630603ED3
perror.MSVCRT ref: 00007FF630603EEB

Strings

Disconnected from server. Retrying in 500ms..., xrefs: 00007FF630603F85
recv failed, xrefs: 00007FF630603EE4
%02x , xrefs: 00007FF630603F30
win_x86_x64, xrefs: 00007FF630603E27
Connection failed. Retrying..., xrefs: 00007FF630603DCC
154.213.192.42, xrefs: 00007FF630603D94
Received %d bytes: , xrefs: 00007FF630603F06
Connected to C&C server, xrefs: 00007FF630603DEB

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: send$CopyCreateFileThreadmemsetperrorrecvsocket
String ID: %02x $154.213.192.42$Connected to C&C server$Connection failed. Retrying...$Disconnected from server. Retrying in 500ms...$Received %d bytes: $recv failed$win_x86_x64
API String ID: 1215720109-3681654477
Opcode ID: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction ID: e02de8ab9662e2ce43414ba18a31ab9fb7121826e0ccb6a37146ab89defee320
Opcode Fuzzy Hash: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction Fuzzy Hash: 14516021B5C6A2ADE725DB65E8507EC2764BB4678CF00003AD90DDB7ADDE2DD609F300

Function 00007FF630601190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6306011F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF630601268
malloc.MSVCRT ref: 00007FF630601332
strlen.MSVCRT ref: 00007FF630601355
malloc.MSVCRT ref: 00007FF630601361
memcpy.MSVCRT ref: 00007FF630601375
GetStartupInfoA.KERNEL32 ref: 00007FF630601473

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction ID: 5ffba0877f1e700bd8e047189d33f9ea0d3f733f43411ad90724329c6f4e19b1
Opcode Fuzzy Hash: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction Fuzzy Hash: AE816A31E8C666A5FB649F5AE85077923A1AF47788F444035DE0CCB399DE6DE98CB300

Function 00007FF6306033E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 00007FF630603521

Strings

CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF63060343F

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: Sleep
String ID: CreateToolhelp32Snapshot failed. Error: %lu
API String ID: 3472027048-731459797
Opcode ID: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction ID: 91eb9e48cb46d8cfc1a3f7ea02f0990750e6a5ea0816f92e2309bb2582d0733c
Opcode Fuzzy Hash: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction Fuzzy Hash: 02315031A4C7AAA8EB319B65D8443F823A4FB5635CF504136C51D9B7ADDE2CE54CB310

Function 00007FF6306043B9 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6306040F0: _mbscpy.MSVCRT ref: 00007FF630604128

MoveFileA.KERNEL32 ref: 00007FF630604503

Strings

Error while deleting old file: %d, xrefs: 00007FF6306044DF
File renamed successfully to: %s, xrefs: 00007FF630604513
Old file with the same name deleted successfully., xrefs: 00007FF6306044C6
File does not exist in Startup to rename., xrefs: 00007FF63060453A
Error: Could not get Startup folder path., xrefs: 00007FF630604548
Error while renaming file: %d, xrefs: 00007FF63060452C
%s\%s, xrefs: 00007FF630604440, 00007FF630604488
svchost.exe, xrefs: 00007FF630604479

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: FileMove_mbscpy
String ID: %s\%s$Error while deleting old file: %d$Error while renaming file: %d$Error: Could not get Startup folder path.$File does not exist in Startup to rename.$File renamed successfully to: %s$Old file with the same name deleted successfully.$svchost.exe
API String ID: 2828783803-2379623443
Opcode ID: 283c2b815b14451717e1a4ace5ca775bf56e5c860f8ccf1696d16ad81b1b3476
Instruction ID: 63f3ab4ef660468d24a33c3d9b8e4e09e8b69573e1cd6305db8ef89b4df346cb
Opcode Fuzzy Hash: 283c2b815b14451717e1a4ace5ca775bf56e5c860f8ccf1696d16ad81b1b3476
Instruction Fuzzy Hash: EA41ED65A4CA92A6EB31DB65EC503F92364AF4634CF404036D91D97BA9EE2CE64DF300

Function 00007FF630604146 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6306040F0: _mbscpy.MSVCRT ref: 00007FF630604128

CopyFileA.KERNEL32 ref: 00007FF630604212

Part of subcall function 00007FF6306043B9: MoveFileA.KERNEL32 ref: 00007FF630604503

Strings

File already exists in Startup., xrefs: 00007FF630604244
Error: Could not get Startup folder path., xrefs: 00007FF630604252
Error while copying file: %d, xrefs: 00007FF630604236
%s\%s, xrefs: 00007FF6306041CD
File copied to Startup successfully., xrefs: 00007FF630604218

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: File$CopyMove_mbscpy
String ID: %s\%s$Error while copying file: %d$Error: Could not get Startup folder path.$File already exists in Startup.$File copied to Startup successfully.
API String ID: 655623600-1093518506
Opcode ID: b3a68b522b0c4e086914e0fe6ab555447e334a681f0e6ef4894ef28e4b9245cf
Instruction ID: 176adfca4fd9153a985afb9d49a7b5452177e8bb019dec25ee5928e9dd5204f8
Opcode Fuzzy Hash: b3a68b522b0c4e086914e0fe6ab555447e334a681f0e6ef4894ef28e4b9245cf
Instruction Fuzzy Hash: F521F0A1B5D662A5EB34DB61E8503F91350AF4674CF804032DA5DCBBADEE2CD649F340

Function 00007FF630603AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF630603B36
ioctlsocket.WS2_32 ref: 00007FF630603B8B
connect.WS2_32 ref: 00007FF630603BAE

Strings

Socket creation failed, xrefs: 00007FF630603B52

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: connectioctlsocketsocket
String ID: Socket creation failed
API String ID: 3033478179-2728381879
Opcode ID: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction ID: ab5a9acaa1dc8ac52196d003cce8e51d745c970809dce9bc5989fbeb638c2f00
Opcode Fuzzy Hash: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction Fuzzy Hash: 87611D72748A968EE7748F69DC443D83365F78979DF104136CA1D9BBACDF389604A700

Function 00007FF630603A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF630603ABB

Strings

Failed to create thread. Error: %lu, xrefs: 00007FF630603AD3

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: CreateThread
String ID: Failed to create thread. Error: %lu
API String ID: 2422867632-1876256139
Opcode ID: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction ID: 77dc4b4183c3273771c13ff224ed5792ec11354a82e3e5be83eeb431c0e98253
Opcode Fuzzy Hash: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction Fuzzy Hash: 8FF0E521F4C611A9F3009720F8513AA2760FB8174CF144134C90D8BBECCE3CDA4AA740

Non-executed Functions

Function 00007FF630602666 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF6306026A8
memset.MSVCRT ref: 00007FF6306026D1
free.MSVCRT ref: 00007FF63060272E

Strings

c, xrefs: 00007FF63060279D
SAMPgy_, xrefs: 00007FF630602789

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: free$memset
String ID: SAMPgy_$c
API String ID: 2717317152-1181286492
Opcode ID: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction ID: 4b5d4132536ebc8149efa04f62b4d4b32780006b1705cad76dc3511fb7665e7e
Opcode Fuzzy Hash: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction Fuzzy Hash: 96516D26F187259CFB44DBB6E8403AC27B0AB49B98F100539DE5E97BA9DF38C504A710

Function 00007FF630607DF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 1312COMMON

Download Yara Rule

Strings

, xrefs: 00007FF630609208
, xrefs: 00007FF630609462
Infinity, xrefs: 00007FF630608106
NaN, xrefs: 00007FF63060807B

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: fa0095dd0704e67f1fdba37e40ff34f5250a2dc34ff6449e999dcc29cf86c872
Instruction ID: fd5281ef38c8f877ebd307d06ffbb2b84537111bf93a4642a4ad0d5f4d7738bf
Opcode Fuzzy Hash: fa0095dd0704e67f1fdba37e40ff34f5250a2dc34ff6449e999dcc29cf86c872
Instruction Fuzzy Hash: 1AC2D732A5C6529BD761CF25A04072A7791FB86788F105135EA8A97B8DDF3DE848FF00

Function 00007FF63060241D Relevance: 6.4, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF63060245F
memset.MSVCRT ref: 00007FF630602488
free.MSVCRT ref: 00007FF6306024E5

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction ID: 682d185aa611961aa2c525491bfea2a1e91d5bde733f355627e2afdcfb3336d2
Opcode Fuzzy Hash: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction Fuzzy Hash: C9514C76B18B259CFB54DBA6E8403AC37B0BB49B98F004135DE5DA7BA8DF38D544A700

Function 00007FF63060AA8A Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92a76f01a41839edb0db2aacd7120ad0be31812e7200489862737987be0680a
Instruction ID: 7dbdb2f680f2fac5505af72f0510429ebe8b33c6763a50d849f0f512f2101495
Opcode Fuzzy Hash: a92a76f01a41839edb0db2aacd7120ad0be31812e7200489862737987be0680a
Instruction Fuzzy Hash: B4B01233818D1288D3096F04CC016A063BCE386250F416430C05486796CE7CD112E514

Function 00007FF6306113DC Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction ID: 038cc99b61fe1a58f79dc842e8ffe6d2d7c0790616e2838ebdfb41b054369831
Opcode Fuzzy Hash: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction Fuzzy Hash:

Function 00007FF630603660 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF6306037A2
atoi.MSVCRT ref: 00007FF6306037AE

Strings

Threads set to: %d, xrefs: 00007FF630603888
Unknown command, xrefs: 00007FF630603A6C
Packet size set to: %d bytes, xrefs: 00007FF6306037BB
Port set to: %d, xrefs: 00007FF630603816
%d.%d.%d.%d, xrefs: 00007FF6306036F0

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: atoimemcpy
String ID: %d.%d.%d.%d$Packet size set to: %d bytes$Port set to: %d$Threads set to: %d$Unknown command
API String ID: 126230704-3691821516
Opcode ID: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction ID: bc889a60a2ac5ac2892809e16978224fea824dfec13819c64c3b3721a9ec7d34
Opcode Fuzzy Hash: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction Fuzzy Hash: 0D812F72F0C6609EEB00CBB5C4402AC3BB0AB4534CF408466EA5C97B99DE38D619EB44

Function 00007FF6306048B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF6306049C9

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF630604B1C
Address %p has no image-section, xrefs: 00007FF630604920, 00007FF630604B30
VirtualProtect failed with code 0x%x, xrefs: 00007FF630604AC2
Mingw-w64 runtime failure:, xrefs: 00007FF6306048E8

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction ID: 0206fc944fbef590e3b863997cf47964bd66b39d43cca6921637a2e74fd78f33
Opcode Fuzzy Hash: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction Fuzzy Hash: 0B71EA72B8DA62A6EB208B55F84526973A0FB467A8F444135EF5C83798DE3CE449F300

Function 00007FF630601CA4 Relevance: 8.9, APIs: 7, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF630601CE3
malloc.MSVCRT ref: 00007FF630601CFE
free.MSVCRT ref: 00007FF630601D25

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction ID: 5d8d0663fe6d5c4a79dae75df45c4456d13039f09ac1c20b238a40562cc32561
Opcode Fuzzy Hash: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction Fuzzy Hash: 2C615171F08B1599EB04CBAAD8413AC27B1AB89B9CF104139CE1D9BBADDE3CD544A710

Function 00007FF630602842 Relevance: 8.9, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF630602881
malloc.MSVCRT ref: 00007FF63060289C
free.MSVCRT ref: 00007FF6306028C3

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction ID: a5d4b696bfca62d703f5267a50faab4578a1003b0e0e28d2b3f2a3b470fef191
Opcode Fuzzy Hash: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction Fuzzy Hash: E9517176F08B2599EB04DBA6D8403AC23B1BB89B8CF004535DE1ED7BADDE38D504A310

Function 00007FF630603261 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF630603395

Strings

Failed to open process: %s (PID: %u), xrefs: 00007FF63060337B
Terminated process: %s (PID: %u), xrefs: 00007FF63060335C
CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF6306032A3

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: NextProcess32
String ID: CreateToolhelp32Snapshot failed. Error: %lu$Failed to open process: %s (PID: %u)$Terminated process: %s (PID: %u)
API String ID: 1850201408-153003829
Opcode ID: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction ID: f7be78ab5fd4ddf29c34359f0d7ed67bcd36011f539e4a1b71b88d3b592ba41d
Opcode Fuzzy Hash: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction Fuzzy Hash: B7316331B4C7A699EB24DBA5D8843ED2365BB8679CF004136C91C8BBADDE28D548E340

Function 00007FF630609620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000000,Infinity,00007FF63060975F,?,?,?,?,00000000,Infinity,00007FF630607C04,?,00000000,00000003,00007FF630608118), ref: 00007FF63060964D
RtlInitializeCriticalSection.NTDLL ref: 00007FF63060968D
RtlInitializeCriticalSection.NTDLL ref: 00007FF630609696

Strings

Infinity, xrefs: 00007FF630609620

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: CriticalInitializeSection$Sleep
String ID: Infinity
API String ID: 1960909292-1015270809
Opcode ID: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction ID: 91f085f47cf30659d5805003952519b9496466186c8b099a039de1a0794dfac2
Opcode Fuzzy Hash: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction Fuzzy Hash: C9113D3196C836A5FA198B19E8A01B42252FF4730CF540631D80DCA3A8DE7EE84DFB50

Function 00007FF6306022C9 Relevance: 6.3, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF630602308
memset.MSVCRT ref: 00007FF630602329
rand.MSVCRT ref: 00007FF630602363
memset.MSVCRT ref: 00007FF630602393
free.MSVCRT ref: 00007FF63060240D

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: freememset$rand
String ID:
API String ID: 2025389305-0
Opcode ID: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction ID: 67b012e06858b02ab050ada71b66dee65c2dba9deac654dd38ac4cf46fe40097
Opcode Fuzzy Hash: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction Fuzzy Hash: 48315271B1872599EB04DBA5D8503AC23B0AB497ACF004635DD6ED7BE9DF3CD504A300

Function 00007FF63060A3A0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF63060A3FA
MultiByteToWideChar.KERNEL32 ref: 00007FF63060A43A

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction ID: fe9defc33a04a32a7ef886ba19083c37b853dc537ef4b9de96bc3f516ac6e791
Opcode Fuzzy Hash: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction Fuzzy Hash: 4531B376A4C29186E3608B28B80436D66D0BB927D8F548235DA98C7BDCDE7DD48CAB00

Function 00007FF630604B40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF630604E04
Unknown pseudo relocation protocol version %d., xrefs: 00007FF630604E18

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction ID: 777d8c119ae41d6c67e6e60be417e5f84006822d9c6dce640e935909e5191d26
Opcode Fuzzy Hash: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction Fuzzy Hash: 0B71D6A2F4C665A7FB209B61E4047A96791BF46BACF544130DE1C97B9CDE3CE448F600

Function 00007FF630609750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630609620: Sleep.KERNEL32(?,?,00000000,Infinity,00007FF63060975F,?,?,?,?,00000000,Infinity,00007FF630607C04,?,00000000,00000003,00007FF630608118), ref: 00007FF63060964D

malloc.MSVCRT ref: 00007FF630609787
RtlLeaveCriticalSection.NTDLL ref: 00007FF6306097DF

Strings

Infinity, xrefs: 00007FF630609750

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID: Infinity
API String ID: 1993596536-1015270809
Opcode ID: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction ID: 302687b500b34af1b4136fd84be96027bbdc235ca9e9cf2604f0776ca42c6b5a
Opcode Fuzzy Hash: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction Fuzzy Hash: C1219272F6CA26A2EE18CF05E4503B96392BB46788F458235C91D873A8DF7CA54CF740

Function 00007FF6306047A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF630604820

Strings

Unknown error, xrefs: 00007FF63060488C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF630604807

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction ID: 8ba0b6fbc4c585e157bf0a4094bc377ddee5284eebb5f833f4896b5b2f38a565
Opcode Fuzzy Hash: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction Fuzzy Hash: 6001CE62C4CF9483D2018F18D8001BA7330FB5F79CF25A325EA8C66719DF28E59AE700

Function 00007FF630604880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF630604820

Strings

Total loss of significance (TLOSS), xrefs: 00007FF630604880
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF630604807

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction ID: 23133f633c2e78d3cca7ee133ede5a93d3f2dacf3487be897d4e827e8e57fd95
Opcode Fuzzy Hash: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction Fuzzy Hash: A6F06262C9CE9482D2129F1CA8000BB7330FF4F79CF245325EE8D66759DF28E58AA700

Function 00007FF630604860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF630604820

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF630604860
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF630604807

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction ID: b0fd790d1af1c391b2bbb5ba7642811a5c8048e9e3acad8031c29ff7fa8c10b0
Opcode Fuzzy Hash: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction Fuzzy Hash: D7F06262C5CE9482D2129F1CA8000BB7330FF4F79CF145325EE8D66759DF28E58AA700

Function 00007FF630604870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF630604820

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF630604870
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF630604807

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction ID: 1fc7d949402cf0a51626e81a3f482056adb91f20b1d34266e24c2c71f1ae328e
Opcode Fuzzy Hash: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction Fuzzy Hash: C1F04F62C4CE9482D2029F18A8001AA7330FB4E79CF245325EA8D66759DF28E58AA700

Function 00007FF630604840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF630604820

Strings

Argument domain error (DOMAIN), xrefs: 00007FF630604840
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF630604807

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction ID: d851adaaa479b6d8f18790887f236f7945b6c1ef83abcc578626e001ee7686fd
Opcode Fuzzy Hash: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction Fuzzy Hash: 97F06262C5CE9482D2129F1CA8000BB7330FF4F79CF245725EE8D66759DF28E58AA700

Function 00007FF630604850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF630604820

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF630604850
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF630604807

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction ID: 584d809866da5058794199c7b614e84e3d6158fe8a7744de71942e5959a00226
Opcode Fuzzy Hash: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction Fuzzy Hash: 5BF06262C5CE9482D2129F1CA8000BB7330FF4F79CF145326EE8D66759DF28E58AA700

Function 00007FF6306047D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF630604820

Strings

Argument singularity (SIGN), xrefs: 00007FF6306047D8
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF630604807

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction ID: d8d6449dc7e5ef258a72786635cdc47b4189fef42d124f78b038987bf4313830
Opcode Fuzzy Hash: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction Fuzzy Hash: 09F01D22D4CE9492D202DF18A8001AB7370FB5E79DF149726EE8D6A659DF28E586A700

Function 00007FF6306015C0 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6306015FF
memset.MSVCRT ref: 00007FF630601620
memset.MSVCRT ref: 00007FF63060168F
free.MSVCRT ref: 00007FF63060176E

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction ID: 365b8d64cfe69da2b1a4c8f40c92443e17a058676f2ba38ffc82b4499e3ca9ee
Opcode Fuzzy Hash: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction Fuzzy Hash: 72415561B18B159CEB04DBAADC503AC2771AB89BA8F004635CD2D9B7E9DE3DD604A300

Function 00007FF63060214D Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6306021A6
memset.MSVCRT ref: 00007FF6306021CA
memset.MSVCRT ref: 00007FF630602225
free.MSVCRT ref: 00007FF6306022B6

Memory Dump Source

Source File: 00000000.00000002.3473626775.00007FF630601000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF630600000, based on PE: true

Associated: 00000000.00000002.3473602807.00007FF630600000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630611000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473626775.00007FF630615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473740086.00007FF63067F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473770046.00007FF630680000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3473799589.00007FF630681000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630600000_cbot.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction ID: 85f9c9b57e1ad83c7f0bd75a53dcbf8204bfc7476294c2bb5bdc86f468360251
Opcode Fuzzy Hash: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction Fuzzy Hash: 74315025708B959AEB759F65E8403E92364EB49B9CF000136DA1D8BBA9DF7DD304A300

Analysis Process: svchost.exePID: 5056, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	613
Total number of Limit Nodes:	5

Executed Functions

Function 00007FF609A01190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF609A011F6
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF609A01268
malloc.MSVCRT ref: 00007FF609A01332
strlen.MSVCRT ref: 00007FF609A01355
malloc.MSVCRT ref: 00007FF609A01361
memcpy.MSVCRT ref: 00007FF609A01375
GetStartupInfoA.KERNEL32 ref: 00007FF609A01473

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction ID: cfbb1b05f79a7edd766c8a721f9dd3a509af4e24e9db0fe47a073b67b084d343
Opcode Fuzzy Hash: e225db0f86b9ce421def3ab0fa0d7062bc5e7b1d61233733194764ee289550e2
Instruction Fuzzy Hash: A9815935E0D74685FBA09F55E8947B933A7AF8AB84F644135DE4DC33A1DE2DE8848700

Function 00007FF609A03D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF609A03A84: CreateThread.KERNELBASE ref: 00007FF609A03ABB

Part of subcall function 00007FF609A03AE6: socket.WS2_32 ref: 00007FF609A03B36

send.WS2_32 ref: 00007FF609A03E25
send.WS2_32 ref: 00007FF609A03E73
memset.MSVCRT ref: 00007FF609A03EB0
recv.WS2_32 ref: 00007FF609A03ED3
perror.MSVCRT ref: 00007FF609A03EEB

Strings

%02x , xrefs: 00007FF609A03F30
recv failed, xrefs: 00007FF609A03EE4
Connected to C&C server, xrefs: 00007FF609A03DEB
Disconnected from server. Retrying in 500ms..., xrefs: 00007FF609A03F85
Received %d bytes: , xrefs: 00007FF609A03F06
win_x86_x64, xrefs: 00007FF609A03E27
Connection failed. Retrying..., xrefs: 00007FF609A03DCC
154.213.192.42, xrefs: 00007FF609A03D94

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: send$CreateThreadmemsetperrorrecvsocket
String ID: %02x $154.213.192.42$Connected to C&C server$Connection failed. Retrying...$Disconnected from server. Retrying in 500ms...$Received %d bytes: $recv failed$win_x86_x64
API String ID: 1679048947-3681654477
Opcode ID: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction ID: 93a51665f3cf9d394b418c2283b495ea3e877f70c37bdb599cb41364144e993f
Opcode Fuzzy Hash: 52fefeefcdcf2a04f80c01cf7036b6e0bdcb3ce1ba97b7727e3dfdfb8c4737e3
Instruction Fuzzy Hash: A6512021B186828DFB21DF65E8917ED3772AB85788F20003ADA0D9B7A5DE3DE605C340

Function 00007FF609A033E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 00007FF609A03521

Strings

CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF609A0343F

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: Sleep
String ID: CreateToolhelp32Snapshot failed. Error: %lu
API String ID: 3472027048-731459797
Opcode ID: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction ID: 53debfed7cbe686823190c8b7cb821351584c6271653e1d9c8b4b1b8f9da247e
Opcode Fuzzy Hash: ae22be0987ea78f0aaeb91b8f08f01e6461eae328b81d81411c2ff8828f2edc0
Instruction Fuzzy Hash: 71314121E0878A89EF709F65E8443FC33A2FB95758F604136CA1D9B7E9DE2DE5548310

Function 00007FF609A03AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 00007FF609A03B36
ioctlsocket.WS2_32 ref: 00007FF609A03B8B
connect.WS2_32 ref: 00007FF609A03BAE

Strings

Socket creation failed, xrefs: 00007FF609A03B52

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: connectioctlsocketsocket
String ID: Socket creation failed
API String ID: 3033478179-2728381879
Opcode ID: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction ID: 62b9140e86fbbfeef1a15d0787c9fa9e721936e09654fa285a413ecc27f9ca7b
Opcode Fuzzy Hash: 3fca099bde09a1a059df5816efd18c7b1ebc4960c7c28b0057210e83bd6d0c1a
Instruction Fuzzy Hash: 3A61DF72704A868EDB748F69DC843EC37A2F789798F644136DA1D9BBA8DF38D5408700

Function 00007FF609A03A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF609A03ABB

Strings

Failed to create thread. Error: %lu, xrefs: 00007FF609A03AD3

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: CreateThread
String ID: Failed to create thread. Error: %lu
API String ID: 2422867632-1876256139
Opcode ID: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction ID: 78d13614197957c42713189168fedd61d71d4e610b4cd0aef0bec3e43e20f68d
Opcode Fuzzy Hash: cd41cf2e5e1f9492d1ffe20eb3d477d557d5a9303e1400c434a624d3a7105117
Instruction Fuzzy Hash: 07F06521F0860589F7509F61F8553BA3762E784748F244135C54D9BBA4DE3DE9428740

Non-executed Functions

Function 00007FF609A02666 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF609A026A8
memset.MSVCRT ref: 00007FF609A026D1
free.MSVCRT ref: 00007FF609A0272E

Strings

SAMPgy_, xrefs: 00007FF609A02789
c, xrefs: 00007FF609A0279D

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: free$memset
String ID: SAMPgy_$c
API String ID: 2717317152-1181286492
Opcode ID: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction ID: 1fca54fd38e06a5134283d0230c7b6a57d57773b9e9d3c35c149daa62f7a8c3d
Opcode Fuzzy Hash: 11a51b238fa7ff4f3de048e7e0399e496a3b39d4eba30ae5ff845e0166315fef
Instruction Fuzzy Hash: 92514C26F147148CFB50DFA6E8543AC37B1AB89B98F200539DE6D97BA9DF38C5008710

Function 00007FF609A0241D Relevance: 6.4, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF609A0245F
memset.MSVCRT ref: 00007FF609A02488
free.MSVCRT ref: 00007FF609A024E5

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction ID: 028c54ee633531521b620cf821e772ad3b848cff9df57e0c5ef0007e4fec23e8
Opcode Fuzzy Hash: 4f8eb30e03a2088e02aa41d26e0366e703c7c16698a6fc90498e6d19936d4cc9
Instruction Fuzzy Hash: 42514A66B14B148CFB50DFA6E8443AC37B5BB88B98F204539DE5DA7BA8DF38D5408700

Function 00007FF609A03660 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF609A037A2
atoi.MSVCRT ref: 00007FF609A037AE

Strings

%d.%d.%d.%d, xrefs: 00007FF609A036F0
Threads set to: %d, xrefs: 00007FF609A03888
Packet size set to: %d bytes, xrefs: 00007FF609A037BB
Port set to: %d, xrefs: 00007FF609A03816
Unknown command, xrefs: 00007FF609A03A6C

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: atoimemcpy
String ID: %d.%d.%d.%d$Packet size set to: %d bytes$Port set to: %d$Threads set to: %d$Unknown command
API String ID: 126230704-3691821516
Opcode ID: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction ID: e30820a0ffb31f66713911bdad6c60595065f0c1ade2f19e6f70e667eedc27a4
Opcode Fuzzy Hash: 761a1ce485632921bbffb7281cf2a6218fe9a642e71f4fdc5b2252f871c063eb
Instruction Fuzzy Hash: C8812AB2F086509EEB00CFA9C4852EC3BB1AB85348F504476EA5D97B9ADE3CD615CB40

Function 00007FF609A048B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF609A049C9

Strings

VirtualProtect failed with code 0x%x, xrefs: 00007FF609A04AC2
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF609A04B1C
Address %p has no image-section, xrefs: 00007FF609A04920, 00007FF609A04B30
Mingw-w64 runtime failure:, xrefs: 00007FF609A048E8

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction ID: f354b5e79bf946f175276716233b43dd36a1006398bfd5fc4db96963540ff70d
Opcode Fuzzy Hash: d803b5b9f4712c63a583bc66fc2a8294c2c3be480b6b5a6bb31d90d251e6b5c6
Instruction Fuzzy Hash: 6071C472B09B4286EB109F55F84566977A2FB8A7E4F644235EF5C833A0EE3CE485C700

Function 00007FF609A01CA4 Relevance: 8.9, APIs: 7, Instructions: 154COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF609A01CE3
malloc.MSVCRT ref: 00007FF609A01CFE
free.MSVCRT ref: 00007FF609A01D25

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction ID: 803952ff5a06cd5e24035f05581953b4b391032b3332b6127369a487f2017a41
Opcode Fuzzy Hash: 3fdcc2ec0350fbc7881cfd62aa9810f02018ec7521ec9bc9f349b6b3c1acdd06
Instruction Fuzzy Hash: E3615075F08B058DEB44DFAAD8553AC37B2AB89B98F204139CE1D97BA9DE3CD5408710

Function 00007FF609A02842 Relevance: 8.9, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF609A02881
malloc.MSVCRT ref: 00007FF609A0289C
free.MSVCRT ref: 00007FF609A028C3

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction ID: 4737d029605fa57535f522d000b786d51afb38194dbe2a98544a664d80349a31
Opcode Fuzzy Hash: 9323b672db99f97c56645a26587eadc63964ebb5107a1af4015708c92901af04
Instruction Fuzzy Hash: 54517C66F04B1589EB04DFA6D8443AC33B2BB88B98F204539DE2D97BA9DF38D5008310

Function 00007FF609A03261 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF609A03395

Strings

CreateToolhelp32Snapshot failed. Error: %lu, xrefs: 00007FF609A032A3
Failed to open process: %s (PID: %u), xrefs: 00007FF609A0337B
Terminated process: %s (PID: %u), xrefs: 00007FF609A0335C

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: NextProcess32
String ID: CreateToolhelp32Snapshot failed. Error: %lu$Failed to open process: %s (PID: %u)$Terminated process: %s (PID: %u)
API String ID: 1850201408-153003829
Opcode ID: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction ID: 0ddb50a38dec3cf4e1f083a6ca5f92e62c746c01dd78e4dc69f36e00e6e6a9e8
Opcode Fuzzy Hash: e181661efe4dd773058fb5c019e7242ec3b384c34b7989fb4873058b68cdb20b
Instruction Fuzzy Hash: 20314521B0474649EF60DFA5D8843ED3362FB99798F204136CA1C9BBA9DE2CD545C340

Function 00007FF609A09620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000000,Infinity,00007FF609A0975F,?,?,?,?,00000000,Infinity,00007FF609A07C04,?,00000000,00000003,00007FF609A08118), ref: 00007FF609A0964D
RtlInitializeCriticalSection.NTDLL ref: 00007FF609A0968D
RtlInitializeCriticalSection.NTDLL ref: 00007FF609A09696

Strings

Infinity, xrefs: 00007FF609A09620

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: CriticalInitializeSection$Sleep
String ID: Infinity
API String ID: 1960909292-1015270809
Opcode ID: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction ID: 71339d40d0485eed905afccb6f8918fe9dfa3e2271309c7311fd1c930eebbf47
Opcode Fuzzy Hash: 2b3a132f51e9cd6b10359d2b6f53ec181f5f3bad216d3bdb832c5de5ecd3c170
Instruction Fuzzy Hash: 6311D732D2D51686FB569F18E8A51B63293FFC6750F780531D94EC63A2DE2DE885CB00

Function 00007FF609A022C9 Relevance: 6.3, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF609A02308
memset.MSVCRT ref: 00007FF609A02329
rand.MSVCRT ref: 00007FF609A02363
memset.MSVCRT ref: 00007FF609A02393
free.MSVCRT ref: 00007FF609A0240D

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: freememset$rand
String ID:
API String ID: 2025389305-0
Opcode ID: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction ID: 827cc2f2d3c92db98ccfc0bf02a8d54dfaf9b8a2d2327b3aa670f23b9ea41ba2
Opcode Fuzzy Hash: 4480c9dfa61de757a7f1f0e5d6dc5bea86d1d3a71a6a449468cd70b262eee5fd
Instruction Fuzzy Hash: 5C313C25B18B0589EB40DFA5E8543AC33B2AB897A8F204635DE6DD7BE9DF3DD5008710

Function 00007FF609A0A3A0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF609A0A3FA
MultiByteToWideChar.KERNEL32 ref: 00007FF609A0A43A

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction ID: 1229c91a2e1db160d37c8e4d4d0dfd04b6002ee1c31d1c95283b4ada4f40d2f4
Opcode Fuzzy Hash: 98b7f6bf3ad1004ecf0cff6562c8d77fed0c02d9e6fb996009e33322c1bcc7a6
Instruction Fuzzy Hash: 8E31B676A0C78186E3608F24B44836D7692BBD1794F648235DA98C7BD9DF3ED484CB00

Function 00007FF609A04B40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF609A04E18
Unknown pseudo relocation bit size %d., xrefs: 00007FF609A04E04

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction ID: 5e2aaac3bf9b5fee26a1d3a77cc176551a6015ec272095b22ab1a0648b0e1d25
Opcode Fuzzy Hash: 76e62dfac5ded097740ec0d1c05d2b01f578fe877c8bdf0b2acdc5b6a318c470
Instruction Fuzzy Hash: 1971D362F1865686EB109F21E4447A977E2FF99BA8F648231DF1C977A4EE3CE440C700

Function 00007FF609A09750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF609A09620: Sleep.KERNEL32(?,?,00000000,Infinity,00007FF609A0975F,?,?,?,?,00000000,Infinity,00007FF609A07C04,?,00000000,00000003,00007FF609A08118), ref: 00007FF609A0964D

malloc.MSVCRT ref: 00007FF609A09787
RtlLeaveCriticalSection.NTDLL ref: 00007FF609A097DF

Strings

Infinity, xrefs: 00007FF609A09750

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: CriticalLeaveSectionSleepmalloc
String ID: Infinity
API String ID: 1993596536-1015270809
Opcode ID: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction ID: eeab870e5db9ba7cd43702ec285cb4291d954fb9cfb5f91e8928122f4e11e97e
Opcode Fuzzy Hash: 583c81eff2bc653449be8c5b22903ef88f54eda45f881fdddad083b71c83a9c0
Instruction Fuzzy Hash: 9E216A72F1861A82EF24CF05E4903BA73A2BBD5784F658239CA1D873A1DF3CA594C740

Function 00007FF609A047A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF609A04820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF609A04807
Unknown error, xrefs: 00007FF609A0488C

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction ID: 07c3335e32148e8fae350210df796025decec6ebd0af7ac5a91608f5e346be5c
Opcode Fuzzy Hash: f7e8b77a0b0dff4a7c8fd560446d4c8046c86c2a5a0ae3229943de372c0eb2c5
Instruction Fuzzy Hash: 43015E62D1CF8482D7018F18D8001BA7372FBAE799F25A335EB8D66665DF28E596C700

Function 00007FF609A04860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF609A04820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF609A04807
Overflow range error (OVERFLOW), xrefs: 00007FF609A04860

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction ID: 01e70587219d84101c76f62bd86c5b4e2734a267c980ccf8b72bc9548b44570a
Opcode Fuzzy Hash: 30eeda8bdb12080cde567a8558e119721110e6916e5ac3dcb8fdf4791492d7ce
Instruction Fuzzy Hash: B5F06D12C08F8482D3029F1CA4000AB7332FF9E798F286336EF8D6A655DF28E5828700

Function 00007FF609A04870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF609A04820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF609A04807
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF609A04870

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction ID: 5ca20f33202464d7cf307d6508fe5fea32cb4726bf15a30844296be552dd6690
Opcode Fuzzy Hash: f4b68061637c4e869876cc2b07be9ae89b12cec57d0ec52bd52edc14d149258f
Instruction Fuzzy Hash: 6AF06D12C08F8482D3029F1CA4001AB7332FF8E798F285336EF8D6A655DF28E5828700

Function 00007FF609A04840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF609A04820

Strings

Argument domain error (DOMAIN), xrefs: 00007FF609A04840
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF609A04807

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction ID: 897eebabbecd9253b5c979dd741d0acb2fd7f7d1e21cb1a924ca20b6fc96a3a8
Opcode Fuzzy Hash: 709d1337b431af56bb765744f32365ef71057d2f3adb48a5db82197e702a3b57
Instruction Fuzzy Hash: 0AF06212C08F8482D3029F1CA4000BB7332FF9E798F245735EF8D66655DF28E5828700

Function 00007FF609A04850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF609A04820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF609A04807
Partial loss of significance (PLOSS), xrefs: 00007FF609A04850

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction ID: 2efaa0c4706ae10d2a57cbb43f396d89bc5baf29967fc236b3a80b94dbbb5eaf
Opcode Fuzzy Hash: ef8ff845aa821fedd75d124928bf110435547eefecd6d81b6760bdc6d9931a3a
Instruction Fuzzy Hash: 50F06252C08F8482D3029F1CA4000AB7331FF9E798F245336EF8D66655DF28E5828700

Function 00007FF609A04880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF609A04820

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF609A04807
Total loss of significance (TLOSS), xrefs: 00007FF609A04880

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction ID: 55c62191cd3e17f9ce5ee36f53f4d2f74cd6c2a0485033995be3df437d708bd3
Opcode Fuzzy Hash: 2555366b7f243d5c5750147fe3f99058101b7cdae7e235ce5a55a443d9b88822
Instruction Fuzzy Hash: 6DF06D16C48F8482D3029F1CA4001AB7332FF9E798F286336EF8D6A655DF28E5828700

Function 00007FF609A047D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF609A04820

Strings

Argument singularity (SIGN), xrefs: 00007FF609A047D8
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF609A04807

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction ID: 5918f26418e8385ae690f02a32db4872906debae026ed4342721df5b0ea249fc
Opcode Fuzzy Hash: bffe1eaf3389dee2b12e3729f9d500de9cab9793a4ff0cf748dbcce5efa7edf7
Instruction Fuzzy Hash: 10F01D16D48F8482D302DF18A4001AB7371FB9E799F255736EE8D6A655DF28E5828700

Function 00007FF609A015C0 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF609A015FF
memset.MSVCRT ref: 00007FF609A01620
memset.MSVCRT ref: 00007FF609A0168F
free.MSVCRT ref: 00007FF609A0176E

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction ID: 74dca95a4f8696ce482e9eebcdcd8c985218ae70a5dc4460bfd222daf2f0e46c
Opcode Fuzzy Hash: 8337257afa241cc28aafe8cf9f7202994b655755b37db60b13fdb6ff63783a31
Instruction Fuzzy Hash: 6F412E25F19B0588EB40DFA6D8543EC3772AB89BA8F204635CE2D977E9DE39D6408300

Function 00007FF609A0214D Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF609A021A6
memset.MSVCRT ref: 00007FF609A021CA
memset.MSVCRT ref: 00007FF609A02225
free.MSVCRT ref: 00007FF609A022B6

Memory Dump Source

Source File: 00000002.00000002.3473614797.00007FF609A01000.00000040.00000001.01000000.00000005.sdmp, Offset: 00007FF609A00000, based on PE: true

Associated: 00000002.00000002.3473589222.00007FF609A00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A11000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473614797.00007FF609A15000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473726277.00007FF609A7F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473754724.00007FF609A80000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3473782365.00007FF609A81000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff609a00000_svchost.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction ID: f900994c84f1c5f3245f9d916f08417458cbf37c5b214664a433e39e84686b73
Opcode Fuzzy Hash: 9f44535f6fd749539bcc271d37f089827b23007be47d33ba420ed4f177ea1149
Instruction Fuzzy Hash: 6B316B25708BC58AEB759F65E8443E93369E788B98F100136DA1D8BBA9DF7DD3008300

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cbot.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe (copy)

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
cbot.exe

Function 00007FF630603D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Function 00007FF630601190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Function 00007FF6306033E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Function 00007FF6306043B9 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 91
fileCOMMON

Function 00007FF630604146 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 63
fileCOMMON

Function 00007FF630603AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Function 00007FF630603A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON

Function 00007FF630602666 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 114
COMMON

Function 00007FF630603660 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 171
COMMON

Function 00007FF6306048B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190
COMMON

Function 00007FF630601CA4 Relevance: 8.9, APIs: 7, Instructions: 154
COMMON

Function 00007FF630602842 Relevance: 8.9, APIs: 7, Instructions: 121
COMMON

Function 00007FF609A01190 Relevance: 13.7, APIs: 9, Instructions: 203
sleepstringCOMMON

Function 00007FF609A03D58 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 122
networkCOMMON

Function 00007FF609A033E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74
COMMON

Function 00007FF609A03AE6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
networkCOMMON

Function 00007FF609A03A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
threadCOMMON